{ "type": "URL", "indicator": "https://ww5.ponball.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww5.ponball.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3752876025, "indicator": "https://ww5.ponball.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bbb9815816db0de034f3a3", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:17.285000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bbb98c440c1c45ec12ccdc", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:28.063000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bbb98d9818cca8f130c195", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:29.619000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bbb998c3b7662e5059b6c2", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:40.759000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6552d60aae6e1b3c22455088", "name": "Hive 0065", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:06:02.329000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "899 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6552d6f5f56d2e9cd9e18a30", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:09:57.370000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "899 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568b00198f82af2e88d463", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-16T21:34:56.016000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6552d6f5f56d2e9cd9e18a30", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "899 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://tulach.cc/ [malware engineering | phishing]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "http://mail.thyrsus.com/ [phishing]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "caselaw.lawlink.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "1click-uninstaller.informer.com [Apple - access PE]", "https://timersys.com/ [ phishing | deb opera.com]", "Tracking: 8.8.4.4 [ NOT a false.positive]", "support.apple.com [nefarious]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "message.htm.com [ message stealer]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.nsogroup.com", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "deviceinbox.com [malware hosting]", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "ppa.launchpad.net [Apple open use]", "cbi.com", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "enterprise.cellebrite.com [ digitalclues.com]", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Worm:win32/bloored.e", "Pws:win32/xport", "Makop", "Mirai", "Ransomexx (elf)", "Ransom:win32/makop", "Artro", "Dark power", "Alf:trojan:powershell/dynamicloader", "Qakbot", "Pegasus", "Formbook", "Amadey", "Cobalt strike", "Hacktool", "Lumma stealer", "Emotet", "Lockbit", "Quasar rat", "Alf:trojan:win32/formbook", "Backdoor:win32/mydoom", "Tulach", "Eternalblue" ], "industries": [ "Civil society", "Healthcare" ], "unique_indicators": 93512 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ponball.com", "whois": "http://whois.domaintools.com/ponball.com", "domain": "ponball.com", "hostname": "ww5.ponball.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3532c76eb3bf5edd9609b", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:08.181000", "created": "2026-04-06T06:31:08.181000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d3532a6537880f6e2c68dc", "name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek", "description": "", "modified": "2026-04-06T06:31:06.730000", "created": "2026-04-06T06:31:06.730000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "65bbb998c3b7662e5059b6c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bbb9815816db0de034f3a3", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:17.285000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bbb98c440c1c45ec12ccdc", "name": "Dark Power - Pegasus | https://lawlink.com/", "description": "Dark Power ransomware first emerged in early 2023. The group engages in multi-extortion, threatening to release victim data for various reasons. Dark Power encrypts the victim's files and requests a ransom payment in exchange for the decryption key. Dark Power's ransom note is distinct from other ransomware campaigns.\n\nPrivilege and other abusive practices considering individuals targeted.", "modified": "2024-03-02T13:01:40.418000", "created": "2024-02-01T15:32:28.063000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "expiration", "url http", "url https", "hostname", "domain", "domain xn", "orgid1054", "ruen", "multiru", "multi", "fh no", "f no", "m892175", "n1822", "contact", "contacted", "ciphersuite", "backdoor", "generic malware", "mydoom", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "1b@ssl.com", "apple", "all octoseek", "aaaa", "access", "alerts", "analyze", "antivirus", "apple as714", "apple as8075", "bootstrap@4.6.2", "body", "cellebrite", "cobalt strike", "command and control", "content type", "core", "create c", "cyber threat", "dark power", "privilege", "abuse", "legal", "privilege abuse", "preemptive policing", "ransomware", "dns", "worm", "network", "rat", "bat", "colorado", "douglas county", "pd", "racism", "sexism", "cover up", "malicious", "jeffrey reimer dpt", "default", "defender", "delete c", "dnssec", "document file", "dynamic", "dynamicloader", "emotet", "execution", "expiration", "date", "factory", "february", "filehash", "formbook", "hacktool", "framing", "harstel", "florence, co", "sherida", "spyeye", "castle pines", "tools", "defense", "medical malpractice fraud", "scheme", "tsara brashears", "targeting", "swatting", "high", "hostname", "hostnames", "malicious prosecution", "apb", "installer", "intel", "iocs", "ios", "lawlink@2x.svg", "local", "local", "lockbit", "lumma stealer", "corruption", "state actors", "untitled states", "installer", "intel", "makop", "malware", "silencing", "ms windows", "human rights", "civil rights", "retaliation", "name servers", "next", "passive dns", "paste", "collect contacts", "password", "unlock phone", "ios", "apple gateway", "android overlay", "interfacing", "pe32", "pegasus", "phishing", "protect", "pulse", "pulses", "qakbot", "quasar", "ransomexx", "read c", "record value", "regdword", "regsetvalueexa", "relacionada", "sample", "samples", "scan endpoints", "search", "servers", "shared", "show", "ssl certificate", "status", "stealer", "survivor", "t1063", "targets sa", "url", "xport", "write c", "write", "win32", "whois record", "threat", "threat analyzer", "tlsv1", "tracking", "united", "unknown", "urls", "urls https", "ursnif", "v2 document", "vanilla-lazyload@12.0.0", "vista event" ], "references": [ "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "cbi.com", "deviceinbox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]", "http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]", "support.apple.com [nefarious]", "caselaw.lawlink.com", "http://mail.thyrsus.com/ [phishing]", "ppa.launchpad.net [Apple open use]", "http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]", "1click-uninstaller.informer.com [Apple - access PE]", "http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "ALF:Trojan:PowerShell/DynamicLoader", "display_name": "ALF:Trojan:PowerShell/DynamicLoader", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "RansomEXX (ELF)", "display_name": "RansomEXX (ELF)", "target": null }, { "id": "Ransom:Win32/Makop", "display_name": "Ransom:Win32/Makop", "target": "/malware/Ransom:Win32/Makop" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "PWS:Win32/XPort", "display_name": "PWS:Win32/XPort", "target": "/malware/PWS:Win32/XPort" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1353, "URL": 5046, "FileHash-MD5": 5182, "FileHash-SHA1": 2869, "FileHash-SHA256": 4063, "hostname": 2471, "email": 28, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 21019, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "819 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww5.ponball.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww5.ponball.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780224450.066815 }