{ "type": "URL", "indicator": "https://ww6.microsoftreset.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww6.microsoftreset.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3770987311, "indicator": "https://ww6.microsoftreset.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "6910cafb096eae0dcb39a800", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-09T17:10:19.498000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138a8144a8bf8040a92711", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large", "description": "", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-11T19:12:01.843000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": "6910cafb096eae0dcb39a800", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65676fdedd4bf87319fcd14a", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-11-29T17:07:42.477000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a986b2f9afc18556b1181", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-12-02T02:37:31.842000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": "65676fdedd4bf87319fcd14a", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8d167202b93ee502ff8", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-12-06T17:01:05.291000", "created": "2023-12-06T17:01:05.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "URL": 3839, "hostname": 1331, "FileHash-SHA256": 2976, "domain": 757, "FileHash-MD5": 250, "FileHash-SHA1": 80 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d5ee5a7359a5e815a6a", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:18.712000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d73e96dd70037ed22a7", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:39.802000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d76b057b79aaf7ba4a7", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:40.239000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d8480e4a9ed725f6458", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:56.820000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654140bae73f795aa914e8de", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-31T18:00:26.439000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "65401d73e96dd70037ed22a7", "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544cbbca7610e92e4262c47", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-11-03T10:30:20.965000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "654140bae73f795aa914e8de", "export_count": 108, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65298a6839a49a9aa732bcac", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "IC3 attached to links, apple , messaging, Skype.\nIC3 CN?\nChina? Unclear. Possibly intercepting IC3 complaints or linking to FBI to frame targets. Links show attack is Attorney orchestrated. \nSame group of Apple iTune links affected by Java.Trojan.GenericGB, Apple NetWorm Trojan.Buzus, Dropper.Mudrop, GenPack:Trojan.Generic, Worm.Mytob ,Phishing site, Anonymizer , netsky ,worm and other vulnerabilities over time. \u200eSign of the Times \u2013 Album par Dembiak Music \u2013 Apple Music Autonomous Systems: AS714 Apple Inc AS14061 Digital Ocean Inc AS8560 1 1 Internet SE Anonymizer: Proxy - FireHol malicious url, evasive, pua, worm, network, attack, bad actor, targeting", "modified": "2023-11-12T17:01:15.222000", "created": "2023-10-13T18:20:24.042000", "tags": [ "ssl certificate", "historical ssl", "referrer", "communicating", "unlocker", "legal entities", "using ip", "amazon aws", "apple ios", "passcode", "attack", "verified", "cyber criminal", "name verdict", "falcon sandbox", "united", "flag", "date", "name server", "markmonitor", "contains", "external", "new relic", "logo", "av detection", "hybrid", "general", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "proxy", "firehol", "malware", "heur", "cisco umbrella", "site", "safe site", "million", "alexa top", "malicious site", "malware site", "adware", "artemis", "iframe", "cleaner", "unsafe", "riskware", "opencandy", "downldr", "nircmd", "swrort", "presenoker", "wacatac", "phishing", "xtrat", "crack", "tiggre", "exploit", "agent", "filetour", "conduit", "acint", "systweak", "behav", "genkryptik", "softcnapp", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "xrat", "gamehack", "webtoolbar", "trojanspy", "maltiverse", "urls", "detection list", "blacklist https", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "phishing site", "anonymizer", "malicious host", "driverpack", "ransomware", "installcore", "suppobox", "patcher", "generic", "dropper", "fakealert", "quasar rat", "applicunwnt", "mimikatz", "team", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 250, "FileHash-SHA1": 80, "FileHash-SHA256": 2976, "domain": 757, "hostname": 1331, "URL": 3839, "CVE": 12 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "889 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f19f703614354a606c382", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-11-12T17:01:15.222000", "created": "2023-10-30T02:50:31.950000", "tags": [ "ssl certificate", "historical ssl", "referrer", "communicating", "unlocker", "legal entities", "using ip", "amazon aws", "apple ios", "passcode", "attack", "verified", "cyber criminal", "name verdict", "falcon sandbox", "united", "flag", "date", "name server", "markmonitor", "contains", "external", "new relic", "logo", "av detection", "hybrid", "general", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "proxy", "firehol", "malware", "heur", "cisco umbrella", "site", "safe site", "million", "alexa top", "malicious site", "malware site", "adware", "artemis", "iframe", "cleaner", "unsafe", "riskware", "opencandy", "downldr", "nircmd", "swrort", "presenoker", "wacatac", "phishing", "xtrat", "crack", "tiggre", "exploit", "agent", "filetour", "conduit", "acint", "systweak", "behav", "genkryptik", "softcnapp", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "xrat", "gamehack", "webtoolbar", "trojanspy", "maltiverse", "urls", "detection list", "blacklist https", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "phishing site", "anonymizer", "malicious host", "driverpack", "ransomware", "installcore", "suppobox", "patcher", "generic", "dropper", "fakealert", "quasar rat", "applicunwnt", "mimikatz", "team", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65298a6839a49a9aa732bcac", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 250, "FileHash-SHA1": 80, "FileHash-SHA256": 2976, "domain": 757, "hostname": 1331, "URL": 3839, "CVE": 12 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "889 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "bpc-old.palantirfoundry.com", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "20.99.186.246 | command and contro", "ussjc9-edge-bx-008.ts.apple.com | malware", "tulach.cc. | Malicious compromises \u2022 Critical", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "72.14.178.174 | command and control", "nr-data.net | Apple Private Data collection", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "96.126.123.244 | command and control", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "00000000.apple.com | remote SIM Swap", "45.33.18.44 | command and control", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86", "103.246.145.111 | scanning host", "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://twitter.com/PORNO_SEXYBABES", "message.htm.com | malware ransomware spreader", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "45.33.2.79 | command and control", "5.79.79.211 | command and control", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder", "They blatantly steal from citizens , blame foreign entities.", "45.33.23.183 | command and control", "nr-data.net | Apple Private Data Collection", "103.246.145.111 phishing", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "45.33.20.235 | command and control", "172.93.103.100 | command and control", "https://tulach.cc/ | phishing", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "37.48.65.150 | command and control", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents.", "45.79.19.196 | command and control", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "198.58.118.167 | command and control", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "185.107.56.200 | command and control", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "72.14.185.43 | command and control", "45.33.30.197 | command and control", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "apple.com | malicious \u2022 geo tracking", "103.246.145.111 - scanning host", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "ocsp2.apple.com | IP 17.253.29.199", "45.56.79.23 | command and control" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Botnet army", "Alf:spikeaexr.pevpszl", "Zeus", "Tulach malware", "Ramnit", "Trojan.mirai/genericrxui", "Nimnul", "Ransomexx", "Webtoolbar", "Other malware", "Maltiverse", "Kryptik", "Quasar rat", "Ransom:msil/gandcrab", "Ratel", "Trojanspy", "Gamehack", "Neworder.doc", "Verified", "Ransom:win32/gandcrab.h!mtb", "Et", "Cyber criminal" ], "industries": [ "Health", "Telecommunications", "Public", "Crypto", "Bank", "Banks", "Entertainment" ], "unique_indicators": 87994 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microsoftreset.com", "whois": "http://whois.domaintools.com/microsoftreset.com", "domain": "microsoftreset.com", "hostname": "ww6.microsoftreset.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "6910cafb096eae0dcb39a800", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-09T17:10:19.498000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138a8144a8bf8040a92711", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large", "description": "", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-11T19:12:01.843000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": "6910cafb096eae0dcb39a800", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658f967a4fc7ebe8021b9382", "name": "Mirai Apple Attack +", "description": "This is hard to make sense of. All calls, clicks on a DGA Domain masquerading as desired service, lands you on the radar of a faux service where in turn bad actors attack everything. Target, remotely hack, follow, smear your life, same victim auto populates 79%, no hunt for assaulter.\n I'm assuming to see it one must 1st be in a Botnet. We keep seeing the same targets but no preparator. \nShe said \"Life was busy, life was good; full of health and hope. Then one sunny October day... I'm still grateful but what happened my body, thoughts and the world around me? Where's God? Am I a criminally responsible for getting attacked?\"", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-30T04:03:06.598000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659127f3265ec6306b607faa", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2023-12-31T08:36:03.380000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65944b9812ea52ab41c0259d", "name": "Mirai Apple Attack +", "description": "", "modified": "2024-01-29T03:01:29.910000", "created": "2024-01-02T17:44:56.709000", "tags": [ "whois record", "ssl certificate", "contacted", "whois whois", "historical ssl", "referrer", "communicating", "resolutions", "apple", "collections", "core", "stealer", "execution", "ratel", "suspicious", "threat", "paste", "iocs", "hostnames", "urls https", "windir", "json data", "localappdata", "ascii text", "unicode text", "pattern match", "file", "indicator", "mitre att", "path", "factory", "hybrid", "general", "memcommit", "regsetvalueexa", "regdword", "t1055", "high", "regbinary", "dynamic dns", "regsetvalueexw", "regsz", "medium", "win32", "malware", "copy", "capture", "name servers", "creation date", "servers", "passive dns", "urls", "domain", "search", "expiration date", "scan endpoints", "all scoreblue", "date", "next", "applenoc", "showing", "status", "united", "as44273 host", "unknown", "all search", "otx scoreblue", "aaaa", "as54113", "privacy inc", "customer", "asnone united", "entries", "pulse pulses", "dga", "redacted for", "as20940", "body", "for privacy", "ipv4", "files", "location united", "america asn", "as54252", "type name", "dns replication", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "elf executable", "sysv", "linux", "elf wgetboat", "contacted urls", "red team", "tsara brashears", "apple phone", "unlocker", "fakedout threat", "hostname", "samples", "mirai", "ph elf", "telefonica de", "elf collection", "llwn", "text", "gp practice", "oracle", "apple ios", "password", "threat network", "kgs0", "kls0", "hacktool", "probe", "malicious" ], "references": [ "https://www.rmvictimlaw.org/about-us/board-directors/hazel-heckers", "https://hybrid-analysis.com/sample/1f75fd5ec731cc5b1f338a5f7f44b42c9f1988214c373bf582d766934399b525", "https://twitter.com/PORNO_SEXYBABES", "IPv4 199.59.243.224 and IPv4 67.21.93.249 - command_and_control", "103.246.145.111 phishing", "nr-data.net | Apple Private Data collection", "BitRAT CnC: File Hash SHA256 23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706", "00000000.apple.com | remote SIM Swap", "https://otx.alienvault.com/indicator/file/23d60876953677ed4627f3449661dc549c0f747adb4b082078dac90d60ae7706#:~:text=%C3%97", "103.246.145.111 - scanning host", "https://app-portal.wsgc.com/saml20/idp/sso?SAMLRequest=jZFBb8IwDIX/SpR70zS0sEa0iA1NQ2IagrLDLlNII4jWJl2cwvj3qyhI7IJ2tPzs9/x5PPmpK3RQDrQ1GY4IxUgZaUttdhneFM/BA57kYxB1xRo+bf3erNR3q8CjbtAA7zsZbp3hVoAGbkStgHvJ19PXBWeE8sZZb6WtMJoCKOc7qydroK2VWyt30FJtVosM771vgIfhETTZCvkF3roTkXtnjZaVIqBk67Q/hUICRrMugzbCn3NfR0XTBI11XlTkCDtJpK3Dc0Ia6rIJASxG81mGP0dpOYqGVEZxGYkk3iaDVMZMKipGMR0kSScDaNXcgBfGZ5hRNghoGrC4YIzTlNMhidPkA6Pl5bhHbXpo90hsexHwl6JYBsu3dYHR+xV+J8AX1Pzs7m4Z318srmBx/m+M4/DWK7+Uf7+c/wI=&RelayState=AcE8QCtmc3hl5id4ZjN8p", "https://www.virustotal.com/en/domain/sipa.be (GoodCop - BadCop 404 error. This may have been a dorkingbeauty graph or collection. There seems to be several VT users experiencing similar issues w/overlap", "https://ms13p01if-qufw21344001.ms.if.apple.com:8083/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 (Apple remote hacktool that enter via Apple media)", "usw2-platform-dmchat-avengers-prod-ext.apple.com", "https://otx.alienvault.com/indicator/hostname/00000000.apple.com#:~:text=%C3%97", "Malware Hosting * Spyware: http://141.98.6.249/boat.arm7, http://141.98.6.249/boat.ppc , http://141.98.6.249/boat.x86" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "trojan.mirai/genericrxui", "display_name": "trojan.mirai/genericrxui", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "658f967a4fc7ebe8021b9382", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 578, "FileHash-SHA1": 521, "FileHash-SHA256": 6392, "URL": 5741, "domain": 2243, "hostname": 1536, "SSLCertFingerprint": 2, "email": 8, "CVE": 1 }, "indicator_count": 17022, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65676fdedd4bf87319fcd14a", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-11-29T17:07:42.477000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a986b2f9afc18556b1181", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-12-02T02:37:31.842000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": "65676fdedd4bf87319fcd14a", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8d167202b93ee502ff8", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-12-06T17:01:05.291000", "created": "2023-12-06T17:01:05.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "URL": 3839, "hostname": 1331, "FileHash-SHA256": 2976, "domain": 757, "FileHash-MD5": 250, "FileHash-SHA1": 80 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d5ee5a7359a5e815a6a", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:18.712000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d73e96dd70037ed22a7", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:39.802000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww6.microsoftreset.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww6.microsoftreset.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638801.6721616 }