{ "type": "URL", "indicator": "https://www.1stnotice.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.1stnotice.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3901918356, "indicator": "https://www.1stnotice.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69d547f11081d44c4a06c3da", "name": "Not Appreciated: Deleted Documents to Hide this Threat Graph.", "description": "https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815\n\n64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b", "modified": "2026-05-16T07:01:31.305000", "created": "2026-04-07T18:07:45.018000", "tags": [ "attribute", "report", "object", "event", "tnull", "pdfkit.net", "adobe", "dropped children", "deleted documents", "2018 Iran root", "missing documents", "threat graph", "bankers document", "cryptographically unsound", "non secure workflow", "ESIGN act violation", "post signature modification timestamp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 552, "FileHash-SHA1": 475, "FileHash-SHA256": 1340, "domain": 161, "hostname": 910, "URL": 595, "CVE": 1, "email": 6 }, "indicator_count": 4040, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6879093e8658df9f35683846", "name": "Worm:Win32/Benjamin continues to impact network", "description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-17T14:31:26.824000", "tags": [ "include review", "data upload", "extraction", "read c", "search", "medium", "show", "msie", "windows nt", "wow64", "slcc2", "media center", "entries", "dock", "write", "execution", "capture", "next", "copy", "date", "aaaa", "present may", "present nov", "passive dns", "ip address", "domain", "status", "next associated", "delete", "iocs", "failed", "sc data", "type", "extr data", "included", "review iocs", "memcommit", "user execution", "module load", "t1129", "icmp traffic", "high", "collection", "cmd c", "t1055", "enter", "extract", "enter sc", "drop or", "browse t", "oprop", "extraction data", "enter source", "url or", "texorag", "browse", "urls", "dnssec", "hostname add", "pulse pulses", "files", "files ip", "domainadmin", "showing", "ttl value", "thumbprint", "onlv", "find", "extri data", "dran anu", "extr", "manually add", "review exclude", "sugges", "find s", "typ hos", "se data", "include data", "review locs", "exclude", "suggested es", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "worm", "win32", "benjamin", "june", "delphi", "malware", "nids", "icmp delphi", "yara detections", "malware traffic", "checkin", "code", "name servers", "servers", "pulses", "expiration date", "united", "body", "cookie", "related tags", "file type", "pe packer", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "screenshots", "comments" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 536, "FileHash-SHA1": 465, "FileHash-SHA256": 1836, "domain": 766, "hostname": 960, "URL": 2879, "CVE": 1, "email": 4 }, "indicator_count": 7447, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867624b645b1724745d6584", "name": "BotX | Multiple attack affects \u2018alleged\u2019 Workforce agency", "description": "A \u2018Unnamed\u2019 workforce agency of questionable legitimacy.\nSerious social engineering. #financial. #pii #phi #gathering. \n#Win32:BotX-gen\\ [Trj]\nIDS Detections\n\u2022 TLS Handshake Failure\nAlerts:\n#dead_host\n#network_icmp\n#nolookup_communication\n#modifies_proxy_wpad\n#allocates_rwx\n#injection_process_search\n#protection_rx\n#antivm_network_adapters\n#process_interest\n#antivm_queries_computername\n#checks_debugger\n#pe_unknown_resource\n#injection #apple #remote #rat #dns #virus #malware #bot_gen #attack #masquerading #monitored_target #staged #worforce #whatstrue #withu4ever\n#hoax #banker #ransom #malvertising #innerparty #overwatch #endgame #mirai #virtool #trojans #privilege #meritless #apple \nWeirdness: \n\u2022 simswap.in (mirai)\n\u2022 twitter\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\ngirlsdoporn.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\n\u2022 apple-dns.net\n\u2022 pornhub.com \u2022 www.pornhub.com #1984\n#whatdidtargetdo? #preemptive\n#Team8 wants to know.", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:10:35.672000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867653f0b2d5f4f1abeb55c", "name": "Graphite Mercenary Spyware? Skynet- I failed to adequately research prior pulse. Uh\u2026.hi!", "description": "", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:23:11.056000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6867624b645b1724745d6584", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "ssa-gov.authorizeddns", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "hmmm\u2026http://palander.stjernstrom.se/", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.mlkfoundation.net/ (Foundry DGA)", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "remotewd.com x 34 devices", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "APT 10" ], "malware_families": [ "Andromeda", "Koobface", "Apt 10", "Win.malware.installcore-6950365-0", "Nivdort checkin", "Bayrob", "Sality", "Onelouder" ], "industries": [ "Government", "Healthcare", "Golfing" ], "unique_indicators": 25525 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/1stnotice.com", "whois": "http://whois.domaintools.com/1stnotice.com", "domain": "1stnotice.com", "hostname": "www.1stnotice.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69d547f11081d44c4a06c3da", "name": "Not Appreciated: Deleted Documents to Hide this Threat Graph.", "description": "https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815\n\n64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b", "modified": "2026-05-16T07:01:31.305000", "created": "2026-04-07T18:07:45.018000", "tags": [ "attribute", "report", "object", "event", "tnull", "pdfkit.net", "adobe", "dropped children", "deleted documents", "2018 Iran root", "missing documents", "threat graph", "bankers document", "cryptographically unsound", "non secure workflow", "ESIGN act violation", "post signature modification timestamp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 552, "FileHash-SHA1": 475, "FileHash-SHA256": 1340, "domain": 161, "hostname": 910, "URL": 595, "CVE": 1, "email": 6 }, "indicator_count": 4040, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6879093e8658df9f35683846", "name": "Worm:Win32/Benjamin continues to impact network", "description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-17T14:31:26.824000", "tags": [ "include review", "data upload", "extraction", "read c", "search", "medium", "show", "msie", "windows nt", "wow64", "slcc2", "media center", "entries", "dock", "write", "execution", "capture", "next", "copy", "date", "aaaa", "present may", "present nov", "passive dns", "ip address", "domain", "status", "next associated", "delete", "iocs", "failed", "sc data", "type", "extr data", "included", "review iocs", "memcommit", "user execution", "module load", "t1129", "icmp traffic", "high", "collection", "cmd c", "t1055", "enter", "extract", "enter sc", "drop or", "browse t", "oprop", "extraction data", "enter source", "url or", "texorag", "browse", "urls", "dnssec", "hostname add", "pulse pulses", "files", "files ip", "domainadmin", "showing", "ttl value", "thumbprint", "onlv", "find", "extri data", "dran anu", "extr", "manually add", "review exclude", "sugges", "find s", "typ hos", "se data", "include data", "review locs", "exclude", "suggested es", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "worm", "win32", "benjamin", "june", "delphi", "malware", "nids", "icmp delphi", "yara detections", "malware traffic", "checkin", "code", "name servers", "servers", "pulses", "expiration date", "united", "body", "cookie", "related tags", "file type", "pe packer", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "screenshots", "comments" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 536, "FileHash-SHA1": 465, "FileHash-SHA256": 1836, "domain": 766, "hostname": 960, "URL": 2879, "CVE": 1, "email": 4 }, "indicator_count": 7447, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867624b645b1724745d6584", "name": "BotX | Multiple attack affects \u2018alleged\u2019 Workforce agency", "description": "A \u2018Unnamed\u2019 workforce agency of questionable legitimacy.\nSerious social engineering. #financial. #pii #phi #gathering. \n#Win32:BotX-gen\\ [Trj]\nIDS Detections\n\u2022 TLS Handshake Failure\nAlerts:\n#dead_host\n#network_icmp\n#nolookup_communication\n#modifies_proxy_wpad\n#allocates_rwx\n#injection_process_search\n#protection_rx\n#antivm_network_adapters\n#process_interest\n#antivm_queries_computername\n#checks_debugger\n#pe_unknown_resource\n#injection #apple #remote #rat #dns #virus #malware #bot_gen #attack #masquerading #monitored_target #staged #worforce #whatstrue #withu4ever\n#hoax #banker #ransom #malvertising #innerparty #overwatch #endgame #mirai #virtool #trojans #privilege #meritless #apple \nWeirdness: \n\u2022 simswap.in (mirai)\n\u2022 twitter\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\ngirlsdoporn.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\n\u2022 apple-dns.net\n\u2022 pornhub.com \u2022 www.pornhub.com #1984\n#whatdidtargetdo? #preemptive\n#Team8 wants to know.", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:10:35.672000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867653f0b2d5f4f1abeb55c", "name": "Graphite Mercenary Spyware? Skynet- I failed to adequately research prior pulse. Uh\u2026.hi!", "description": "", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:23:11.056000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6867624b645b1724745d6584", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.1stnotice.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.1stnotice.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780235501.2827456 }