{
"type": "URL",
"indicator": "https://www.adobe.es",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://www.adobe.es",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2909110629,
"indicator": "https://www.adobe.es",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 7,
"pulses": [
{
"id": "6a141c15cfec672ba39e6a17",
"name": "S0094 clone credit score blue ",
"description": "",
"modified": "2026-05-25T10:03:13.774000",
"created": "2026-05-25T09:53:25.429000",
"tags": [
"falcon sandbox",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"historical ssl",
"referrer",
"httponly",
"path",
"secure",
"maxage31557600",
"expiresmon",
"samesitenone",
"expireswed",
"etag w",
"setcookie dids",
"maxage864000",
"http response",
"final url",
"serving ip",
"address",
"status code",
"html document",
"history",
"utc names",
"html info",
"title assurance",
"meta tags",
"script tags",
"anchor hrefs",
"code",
"requestid",
"hostid",
"xml file",
"accessdenied",
"message",
"signature",
"expires",
"awsaccesskeyid",
"log id",
"gmtn",
"passive dns",
"urls",
"digicert global",
"g2 tls",
"rsa sha256",
"tls web",
"full name",
"self",
"false",
"united",
"as8075",
"unknown",
"gmt server",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"aaaa",
"meta",
"link",
"search",
"creation date",
"wheels up",
"moved",
"homepage",
"servers",
"service",
"name servers",
"hostname",
"next",
"japan unknown",
"as2510 fujitsu",
"status",
"page",
"ltd dba",
"com laude",
"record value",
"ireland",
"germany",
"australia",
"as44786 adobe",
"whitelisted",
"win32",
"present may",
"trojan",
"karaganye",
"regsetvalueexa",
"regdword",
"default",
"show",
"presto",
"regbinary",
"medium",
"create c",
"query",
"double",
"malware",
"copy",
"karagany",
"write",
"showing",
"as35908 krypt",
"as45102 alibaba",
"hong kong",
"data service",
"script script",
"div div",
"title",
"entries",
"files",
"japan asn",
"dns resolutions",
"memory pattern",
"ip traffic",
"domains",
"urls https",
"files c",
"filesgoogle c",
"written c",
"extensions",
"as20446",
"as14061",
"emails",
"threat roundup",
"bashlite",
"jupyter rising",
"vmware",
"security blog",
"april",
"september",
"december",
"january",
"enemybot",
"core"
],
"references": [
"Assurance",
"IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
"IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
"Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
"Domains Contacted: simplesausages.cx.cc adobe.com",
"https://test2.ditproducts.com/dat/wannacry1.html",
"http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"CVE-2023-22518 | CVE-2023-4966"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"target": null
},
{
"id": "Win32:Karagany-D\\ [Trj]",
"display_name": "Win32:Karagany-D\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Xtoober-650",
"display_name": "Win.Trojan.Xtoober-650",
"target": null
},
{
"id": "Trojan:Win32/Startpage.SS",
"display_name": "Trojan:Win32/Startpage.SS",
"target": "/malware/Trojan:Win32/Startpage.SS"
},
{
"id": "Win.Packed.Pincav-7537597-0",
"display_name": "Win.Packed.Pincav-7537597-0",
"target": null
},
{
"id": "Trojan.Karagany - S0094",
"display_name": "Trojan.Karagany - S0094",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Healthcare",
"Technology",
"Telecommunications",
"Finance - Insurance Sector"
],
"TLP": "green",
"cloned_from": "6665d55d941729c5f283b3f7",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2951,
"FileHash-MD5": 193,
"FileHash-SHA1": 171,
"FileHash-SHA256": 1885,
"URL": 8907,
"domain": 2945,
"SSLCertFingerprint": 2,
"email": 11,
"CVE": 2
},
"indicator_count": 17067,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893032410060f658d862c60",
"name": "Hosting App - Partial research | Emotet Worm",
"description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]",
"modified": "2025-09-05T07:00:00.711000",
"created": "2025-08-06T07:24:20.645000",
"tags": [
"url https",
"iocs",
"learn more",
"ipv4",
"domain",
"hostname",
"types of",
"sweden",
"united",
"belgium",
"indicator role",
"title added",
"active related",
"pulses hostname",
"showing",
"document file",
"v2 document",
"search",
"medium",
"ms windows",
"vista event",
"port",
"msie",
"windows nt",
"wow64",
"dirty",
"write",
"powershell",
"copy",
"next",
"defender",
"dynamicloader",
"high",
"fwlink",
"windows",
"cmd c",
"alerts",
"bios",
"related pulses",
"pulses",
"related tags",
"file type",
"ascii text",
"sha256",
"external",
"virustotal api",
"screenshots",
"june",
"flag",
"usa windows",
"input threat",
"level analysis",
"summary",
"gbrflag",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"ssl certificate",
"defense evasion",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"size",
"mitre att",
"date",
"path",
"format",
"august",
"hybrid",
"local",
"form",
"click",
"strings",
"ubar",
"truetype",
"web open",
"font format",
"description web",
"general",
"iframe",
"slcc2",
"media center",
"destination",
"tlsv1",
"unknown",
"execution",
"dock",
"persistence",
"malware",
"encrypt",
"ck techniques",
"read c",
"show",
"entries",
"delete",
"data upload",
"extraction",
"onlv",
"find",
"type",
"no matching",
"indicator",
"mtb may",
"trojandropper",
"passive dns",
"next associated",
"lowfi",
"gmt cache",
"sameorigin",
"ipv4 add",
"trojan",
"mtb apr",
"files show",
"date hash",
"avast avg",
"shellterlod may",
"win32qqpass apr",
"trojanspy",
"ransom",
"wiper",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results aug",
"urls show",
"hookwowlow may"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4593,
"hostname": 1754,
"domain": 399,
"FileHash-SHA256": 2128,
"FileHash-MD5": 426,
"FileHash-SHA1": 299,
"SSLCertFingerprint": 17
},
"indicator_count": 9616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "268 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68930449988277cd29c25cb7",
"name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper",
"description": "",
"modified": "2025-09-05T07:00:00.711000",
"created": "2025-08-06T07:29:13.136000",
"tags": [
"url https",
"iocs",
"learn more",
"ipv4",
"domain",
"hostname",
"types of",
"sweden",
"united",
"belgium",
"indicator role",
"title added",
"active related",
"pulses hostname",
"showing",
"document file",
"v2 document",
"search",
"medium",
"ms windows",
"vista event",
"port",
"msie",
"windows nt",
"wow64",
"dirty",
"write",
"powershell",
"copy",
"next",
"defender",
"dynamicloader",
"high",
"fwlink",
"windows",
"cmd c",
"alerts",
"bios",
"related pulses",
"pulses",
"related tags",
"file type",
"ascii text",
"sha256",
"external",
"virustotal api",
"screenshots",
"june",
"flag",
"usa windows",
"input threat",
"level analysis",
"summary",
"gbrflag",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"ssl certificate",
"defense evasion",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"size",
"mitre att",
"date",
"path",
"format",
"august",
"hybrid",
"local",
"form",
"click",
"strings",
"ubar",
"truetype",
"web open",
"font format",
"description web",
"general",
"iframe",
"slcc2",
"media center",
"destination",
"tlsv1",
"unknown",
"execution",
"dock",
"persistence",
"malware",
"encrypt",
"ck techniques",
"read c",
"show",
"entries",
"delete",
"data upload",
"extraction",
"onlv",
"find",
"type",
"no matching",
"indicator",
"mtb may",
"trojandropper",
"passive dns",
"next associated",
"lowfi",
"gmt cache",
"sameorigin",
"ipv4 add",
"trojan",
"mtb apr",
"files show",
"date hash",
"avast avg",
"shellterlod may",
"win32qqpass apr",
"trojanspy",
"ransom",
"wiper",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results aug",
"urls show",
"hookwowlow may"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6893032410060f658d862c60",
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4593,
"hostname": 1754,
"domain": 399,
"FileHash-SHA256": 2128,
"FileHash-MD5": 426,
"FileHash-SHA1": 299,
"SSLCertFingerprint": 17
},
"indicator_count": 9616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "268 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6665d55d941729c5f283b3f7",
"name": "S0094-Remote Access - Assurance [a Prudential company]",
"description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
"modified": "2024-07-09T15:02:04.111000",
"created": "2024-06-09T16:16:29.634000",
"tags": [
"falcon sandbox",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"historical ssl",
"referrer",
"httponly",
"path",
"secure",
"maxage31557600",
"expiresmon",
"samesitenone",
"expireswed",
"etag w",
"setcookie dids",
"maxage864000",
"http response",
"final url",
"serving ip",
"address",
"status code",
"html document",
"history",
"utc names",
"html info",
"title assurance",
"meta tags",
"script tags",
"anchor hrefs",
"code",
"requestid",
"hostid",
"xml file",
"accessdenied",
"message",
"signature",
"expires",
"awsaccesskeyid",
"log id",
"gmtn",
"passive dns",
"urls",
"digicert global",
"g2 tls",
"rsa sha256",
"tls web",
"full name",
"self",
"false",
"united",
"as8075",
"unknown",
"gmt server",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"aaaa",
"meta",
"link",
"search",
"creation date",
"wheels up",
"moved",
"homepage",
"servers",
"service",
"name servers",
"hostname",
"next",
"japan unknown",
"as2510 fujitsu",
"status",
"page",
"ltd dba",
"com laude",
"record value",
"ireland",
"germany",
"australia",
"as44786 adobe",
"whitelisted",
"win32",
"present may",
"trojan",
"karaganye",
"regsetvalueexa",
"regdword",
"default",
"show",
"presto",
"regbinary",
"medium",
"create c",
"query",
"double",
"malware",
"copy",
"karagany",
"write",
"showing",
"as35908 krypt",
"as45102 alibaba",
"hong kong",
"data service",
"script script",
"div div",
"title",
"entries",
"files",
"japan asn",
"dns resolutions",
"memory pattern",
"ip traffic",
"domains",
"urls https",
"files c",
"filesgoogle c",
"written c",
"extensions",
"as20446",
"as14061",
"emails",
"threat roundup",
"bashlite",
"jupyter rising",
"vmware",
"security blog",
"april",
"september",
"december",
"january",
"enemybot",
"core"
],
"references": [
"Assurance",
"IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
"IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
"Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
"Domains Contacted: simplesausages.cx.cc adobe.com",
"https://test2.ditproducts.com/dat/wannacry1.html",
"http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"CVE-2023-22518 | CVE-2023-4966"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"target": null
},
{
"id": "Win32:Karagany-D\\ [Trj]",
"display_name": "Win32:Karagany-D\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Xtoober-650",
"display_name": "Win.Trojan.Xtoober-650",
"target": null
},
{
"id": "Trojan:Win32/Startpage.SS",
"display_name": "Trojan:Win32/Startpage.SS",
"target": "/malware/Trojan:Win32/Startpage.SS"
},
{
"id": "Win.Packed.Pincav-7537597-0",
"display_name": "Win.Packed.Pincav-7537597-0",
"target": null
},
{
"id": "Trojan.Karagany - S0094",
"display_name": "Trojan.Karagany - S0094",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Healthcare",
"Technology",
"Telecommunications",
"Finance - Insurance Sector"
],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2950,
"FileHash-MD5": 193,
"FileHash-SHA1": 171,
"FileHash-SHA256": 1885,
"URL": 8907,
"domain": 2945,
"SSLCertFingerprint": 2,
"email": 11,
"CVE": 2
},
"indicator_count": 17066,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "691 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6665d9ae1b06b560698b2a70",
"name": "Assurance [a Prudential company] S0094-Remote Access",
"description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
"modified": "2024-07-09T15:02:04.111000",
"created": "2024-06-09T16:34:54.161000",
"tags": [
"falcon sandbox",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"historical ssl",
"referrer",
"httponly",
"path",
"secure",
"maxage31557600",
"expiresmon",
"samesitenone",
"expireswed",
"etag w",
"setcookie dids",
"maxage864000",
"http response",
"final url",
"serving ip",
"address",
"status code",
"html document",
"history",
"utc names",
"html info",
"title assurance",
"meta tags",
"script tags",
"anchor hrefs",
"code",
"requestid",
"hostid",
"xml file",
"accessdenied",
"message",
"signature",
"expires",
"awsaccesskeyid",
"log id",
"gmtn",
"passive dns",
"urls",
"digicert global",
"g2 tls",
"rsa sha256",
"tls web",
"full name",
"self",
"false",
"united",
"as8075",
"unknown",
"gmt server",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"aaaa",
"meta",
"link",
"search",
"creation date",
"wheels up",
"moved",
"homepage",
"servers",
"service",
"name servers",
"hostname",
"next",
"japan unknown",
"as2510 fujitsu",
"status",
"page",
"ltd dba",
"com laude",
"record value",
"ireland",
"germany",
"australia",
"as44786 adobe",
"whitelisted",
"win32",
"present may",
"trojan",
"karaganye",
"regsetvalueexa",
"regdword",
"default",
"show",
"presto",
"regbinary",
"medium",
"create c",
"query",
"double",
"malware",
"copy",
"karagany",
"write",
"showing",
"as35908 krypt",
"as45102 alibaba",
"hong kong",
"data service",
"script script",
"div div",
"title",
"entries",
"files",
"japan asn",
"dns resolutions",
"memory pattern",
"ip traffic",
"domains",
"urls https",
"files c",
"filesgoogle c",
"written c",
"extensions",
"as20446",
"as14061",
"emails",
"threat roundup",
"bashlite",
"jupyter rising",
"vmware",
"security blog",
"april",
"september",
"december",
"january",
"enemybot",
"core"
],
"references": [
"Assurance",
"IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
"IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
"Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
"Domains Contacted: simplesausages.cx.cc adobe.com",
"https://test2.ditproducts.com/dat/wannacry1.html",
"http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"CVE-2023-22518 | CVE-2023-4966"
],
"public": 1,
"adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"target": null
},
{
"id": "Win32:Karagany-D\\ [Trj]",
"display_name": "Win32:Karagany-D\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Xtoober-650",
"display_name": "Win.Trojan.Xtoober-650",
"target": null
},
{
"id": "Trojan:Win32/Startpage.SS",
"display_name": "Trojan:Win32/Startpage.SS",
"target": "/malware/Trojan:Win32/Startpage.SS"
},
{
"id": "Win.Packed.Pincav-7537597-0",
"display_name": "Win.Packed.Pincav-7537597-0",
"target": null
},
{
"id": "Trojan.Karagany - S0094",
"display_name": "Trojan.Karagany - S0094",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Healthcare",
"Technology",
"Telecommunications",
"Finance - Insurance Sector"
],
"TLP": "green",
"cloned_from": null,
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2950,
"FileHash-MD5": 193,
"FileHash-SHA1": 171,
"FileHash-SHA256": 1885,
"URL": 8907,
"domain": 2945,
"SSLCertFingerprint": 2,
"email": 11,
"CVE": 2
},
"indicator_count": 17066,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "691 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Can the DoD no questions asked target a SA victim",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://es.pornhat.com/models/the-sex-creator/",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"CVE-2023-22518 | CVE-2023-4966",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"If someone is believed to be a threat they have right to due process.",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://test2.ditproducts.com/dat/wannacry1.html",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://meumundogay-com.sexogratis.page/locker",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
"Assurance",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick.",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"There is fear in silence or speaking out",
"Target agreed and complied with all lie detector measures.",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"Domains Contacted: simplesausages.cx.cc adobe.com",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,"
],
"malware_families": [
"Malware",
"Win.packed.pincav-7537597-0",
"Alf:jasyp:trojandownloader:win32/karagany!atmn",
"Win32:karagany-d\\ [trj]",
"Trojan:win32/startpage.ss",
"Trojan.karagany - s0094",
"Win.trojan.xtoober-650",
"Apnic"
],
"industries": [
"Healthcare",
"Telecommunications",
"Finance - insurance sector",
"Technology"
],
"unique_indicators": 45699
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/adobe.es",
"whois": "http://whois.domaintools.com/adobe.es",
"domain": "adobe.es",
"hostname": "www.adobe.es"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 7,
"pulses": [
{
"id": "6a141c15cfec672ba39e6a17",
"name": "S0094 clone credit score blue ",
"description": "",
"modified": "2026-05-25T10:03:13.774000",
"created": "2026-05-25T09:53:25.429000",
"tags": [
"falcon sandbox",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"historical ssl",
"referrer",
"httponly",
"path",
"secure",
"maxage31557600",
"expiresmon",
"samesitenone",
"expireswed",
"etag w",
"setcookie dids",
"maxage864000",
"http response",
"final url",
"serving ip",
"address",
"status code",
"html document",
"history",
"utc names",
"html info",
"title assurance",
"meta tags",
"script tags",
"anchor hrefs",
"code",
"requestid",
"hostid",
"xml file",
"accessdenied",
"message",
"signature",
"expires",
"awsaccesskeyid",
"log id",
"gmtn",
"passive dns",
"urls",
"digicert global",
"g2 tls",
"rsa sha256",
"tls web",
"full name",
"self",
"false",
"united",
"as8075",
"unknown",
"gmt server",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"aaaa",
"meta",
"link",
"search",
"creation date",
"wheels up",
"moved",
"homepage",
"servers",
"service",
"name servers",
"hostname",
"next",
"japan unknown",
"as2510 fujitsu",
"status",
"page",
"ltd dba",
"com laude",
"record value",
"ireland",
"germany",
"australia",
"as44786 adobe",
"whitelisted",
"win32",
"present may",
"trojan",
"karaganye",
"regsetvalueexa",
"regdword",
"default",
"show",
"presto",
"regbinary",
"medium",
"create c",
"query",
"double",
"malware",
"copy",
"karagany",
"write",
"showing",
"as35908 krypt",
"as45102 alibaba",
"hong kong",
"data service",
"script script",
"div div",
"title",
"entries",
"files",
"japan asn",
"dns resolutions",
"memory pattern",
"ip traffic",
"domains",
"urls https",
"files c",
"filesgoogle c",
"written c",
"extensions",
"as20446",
"as14061",
"emails",
"threat roundup",
"bashlite",
"jupyter rising",
"vmware",
"security blog",
"april",
"september",
"december",
"january",
"enemybot",
"core"
],
"references": [
"Assurance",
"IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
"IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
"Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
"Domains Contacted: simplesausages.cx.cc adobe.com",
"https://test2.ditproducts.com/dat/wannacry1.html",
"http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"CVE-2023-22518 | CVE-2023-4966"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"target": null
},
{
"id": "Win32:Karagany-D\\ [Trj]",
"display_name": "Win32:Karagany-D\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Xtoober-650",
"display_name": "Win.Trojan.Xtoober-650",
"target": null
},
{
"id": "Trojan:Win32/Startpage.SS",
"display_name": "Trojan:Win32/Startpage.SS",
"target": "/malware/Trojan:Win32/Startpage.SS"
},
{
"id": "Win.Packed.Pincav-7537597-0",
"display_name": "Win.Packed.Pincav-7537597-0",
"target": null
},
{
"id": "Trojan.Karagany - S0094",
"display_name": "Trojan.Karagany - S0094",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Healthcare",
"Technology",
"Telecommunications",
"Finance - Insurance Sector"
],
"TLP": "green",
"cloned_from": "6665d55d941729c5f283b3f7",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2951,
"FileHash-MD5": 193,
"FileHash-SHA1": 171,
"FileHash-SHA256": 1885,
"URL": 8907,
"domain": 2945,
"SSLCertFingerprint": 2,
"email": 11,
"CVE": 2
},
"indicator_count": 17067,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893032410060f658d862c60",
"name": "Hosting App - Partial research | Emotet Worm",
"description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]",
"modified": "2025-09-05T07:00:00.711000",
"created": "2025-08-06T07:24:20.645000",
"tags": [
"url https",
"iocs",
"learn more",
"ipv4",
"domain",
"hostname",
"types of",
"sweden",
"united",
"belgium",
"indicator role",
"title added",
"active related",
"pulses hostname",
"showing",
"document file",
"v2 document",
"search",
"medium",
"ms windows",
"vista event",
"port",
"msie",
"windows nt",
"wow64",
"dirty",
"write",
"powershell",
"copy",
"next",
"defender",
"dynamicloader",
"high",
"fwlink",
"windows",
"cmd c",
"alerts",
"bios",
"related pulses",
"pulses",
"related tags",
"file type",
"ascii text",
"sha256",
"external",
"virustotal api",
"screenshots",
"june",
"flag",
"usa windows",
"input threat",
"level analysis",
"summary",
"gbrflag",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"ssl certificate",
"defense evasion",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"size",
"mitre att",
"date",
"path",
"format",
"august",
"hybrid",
"local",
"form",
"click",
"strings",
"ubar",
"truetype",
"web open",
"font format",
"description web",
"general",
"iframe",
"slcc2",
"media center",
"destination",
"tlsv1",
"unknown",
"execution",
"dock",
"persistence",
"malware",
"encrypt",
"ck techniques",
"read c",
"show",
"entries",
"delete",
"data upload",
"extraction",
"onlv",
"find",
"type",
"no matching",
"indicator",
"mtb may",
"trojandropper",
"passive dns",
"next associated",
"lowfi",
"gmt cache",
"sameorigin",
"ipv4 add",
"trojan",
"mtb apr",
"files show",
"date hash",
"avast avg",
"shellterlod may",
"win32qqpass apr",
"trojanspy",
"ransom",
"wiper",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results aug",
"urls show",
"hookwowlow may"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4593,
"hostname": 1754,
"domain": 399,
"FileHash-SHA256": 2128,
"FileHash-MD5": 426,
"FileHash-SHA1": 299,
"SSLCertFingerprint": 17
},
"indicator_count": 9616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "268 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68930449988277cd29c25cb7",
"name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper",
"description": "",
"modified": "2025-09-05T07:00:00.711000",
"created": "2025-08-06T07:29:13.136000",
"tags": [
"url https",
"iocs",
"learn more",
"ipv4",
"domain",
"hostname",
"types of",
"sweden",
"united",
"belgium",
"indicator role",
"title added",
"active related",
"pulses hostname",
"showing",
"document file",
"v2 document",
"search",
"medium",
"ms windows",
"vista event",
"port",
"msie",
"windows nt",
"wow64",
"dirty",
"write",
"powershell",
"copy",
"next",
"defender",
"dynamicloader",
"high",
"fwlink",
"windows",
"cmd c",
"alerts",
"bios",
"related pulses",
"pulses",
"related tags",
"file type",
"ascii text",
"sha256",
"external",
"virustotal api",
"screenshots",
"june",
"flag",
"usa windows",
"input threat",
"level analysis",
"summary",
"gbrflag",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"ssl certificate",
"defense evasion",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"size",
"mitre att",
"date",
"path",
"format",
"august",
"hybrid",
"local",
"form",
"click",
"strings",
"ubar",
"truetype",
"web open",
"font format",
"description web",
"general",
"iframe",
"slcc2",
"media center",
"destination",
"tlsv1",
"unknown",
"execution",
"dock",
"persistence",
"malware",
"encrypt",
"ck techniques",
"read c",
"show",
"entries",
"delete",
"data upload",
"extraction",
"onlv",
"find",
"type",
"no matching",
"indicator",
"mtb may",
"trojandropper",
"passive dns",
"next associated",
"lowfi",
"gmt cache",
"sameorigin",
"ipv4 add",
"trojan",
"mtb apr",
"files show",
"date hash",
"avast avg",
"shellterlod may",
"win32qqpass apr",
"trojanspy",
"ransom",
"wiper",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results aug",
"urls show",
"hookwowlow may"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6893032410060f658d862c60",
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4593,
"hostname": 1754,
"domain": 399,
"FileHash-SHA256": 2128,
"FileHash-MD5": 426,
"FileHash-SHA1": 299,
"SSLCertFingerprint": 17
},
"indicator_count": 9616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "268 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6665d55d941729c5f283b3f7",
"name": "S0094-Remote Access - Assurance [a Prudential company]",
"description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
"modified": "2024-07-09T15:02:04.111000",
"created": "2024-06-09T16:16:29.634000",
"tags": [
"falcon sandbox",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"historical ssl",
"referrer",
"httponly",
"path",
"secure",
"maxage31557600",
"expiresmon",
"samesitenone",
"expireswed",
"etag w",
"setcookie dids",
"maxage864000",
"http response",
"final url",
"serving ip",
"address",
"status code",
"html document",
"history",
"utc names",
"html info",
"title assurance",
"meta tags",
"script tags",
"anchor hrefs",
"code",
"requestid",
"hostid",
"xml file",
"accessdenied",
"message",
"signature",
"expires",
"awsaccesskeyid",
"log id",
"gmtn",
"passive dns",
"urls",
"digicert global",
"g2 tls",
"rsa sha256",
"tls web",
"full name",
"self",
"false",
"united",
"as8075",
"unknown",
"gmt server",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"aaaa",
"meta",
"link",
"search",
"creation date",
"wheels up",
"moved",
"homepage",
"servers",
"service",
"name servers",
"hostname",
"next",
"japan unknown",
"as2510 fujitsu",
"status",
"page",
"ltd dba",
"com laude",
"record value",
"ireland",
"germany",
"australia",
"as44786 adobe",
"whitelisted",
"win32",
"present may",
"trojan",
"karaganye",
"regsetvalueexa",
"regdword",
"default",
"show",
"presto",
"regbinary",
"medium",
"create c",
"query",
"double",
"malware",
"copy",
"karagany",
"write",
"showing",
"as35908 krypt",
"as45102 alibaba",
"hong kong",
"data service",
"script script",
"div div",
"title",
"entries",
"files",
"japan asn",
"dns resolutions",
"memory pattern",
"ip traffic",
"domains",
"urls https",
"files c",
"filesgoogle c",
"written c",
"extensions",
"as20446",
"as14061",
"emails",
"threat roundup",
"bashlite",
"jupyter rising",
"vmware",
"security blog",
"april",
"september",
"december",
"january",
"enemybot",
"core"
],
"references": [
"Assurance",
"IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
"IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
"Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
"Domains Contacted: simplesausages.cx.cc adobe.com",
"https://test2.ditproducts.com/dat/wannacry1.html",
"http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"CVE-2023-22518 | CVE-2023-4966"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"target": null
},
{
"id": "Win32:Karagany-D\\ [Trj]",
"display_name": "Win32:Karagany-D\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Xtoober-650",
"display_name": "Win.Trojan.Xtoober-650",
"target": null
},
{
"id": "Trojan:Win32/Startpage.SS",
"display_name": "Trojan:Win32/Startpage.SS",
"target": "/malware/Trojan:Win32/Startpage.SS"
},
{
"id": "Win.Packed.Pincav-7537597-0",
"display_name": "Win.Packed.Pincav-7537597-0",
"target": null
},
{
"id": "Trojan.Karagany - S0094",
"display_name": "Trojan.Karagany - S0094",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Healthcare",
"Technology",
"Telecommunications",
"Finance - Insurance Sector"
],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2950,
"FileHash-MD5": 193,
"FileHash-SHA1": 171,
"FileHash-SHA256": 1885,
"URL": 8907,
"domain": 2945,
"SSLCertFingerprint": 2,
"email": 11,
"CVE": 2
},
"indicator_count": 17066,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "691 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6665d9ae1b06b560698b2a70",
"name": "Assurance [a Prudential company] S0094-Remote Access",
"description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966",
"modified": "2024-07-09T15:02:04.111000",
"created": "2024-06-09T16:34:54.161000",
"tags": [
"falcon sandbox",
"sha256",
"sha1",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"pattern match",
"ascii text",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"historical ssl",
"referrer",
"httponly",
"path",
"secure",
"maxage31557600",
"expiresmon",
"samesitenone",
"expireswed",
"etag w",
"setcookie dids",
"maxage864000",
"http response",
"final url",
"serving ip",
"address",
"status code",
"html document",
"history",
"utc names",
"html info",
"title assurance",
"meta tags",
"script tags",
"anchor hrefs",
"code",
"requestid",
"hostid",
"xml file",
"accessdenied",
"message",
"signature",
"expires",
"awsaccesskeyid",
"log id",
"gmtn",
"passive dns",
"urls",
"digicert global",
"g2 tls",
"rsa sha256",
"tls web",
"full name",
"self",
"false",
"united",
"as8075",
"unknown",
"gmt server",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"url https",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"aaaa",
"meta",
"link",
"search",
"creation date",
"wheels up",
"moved",
"homepage",
"servers",
"service",
"name servers",
"hostname",
"next",
"japan unknown",
"as2510 fujitsu",
"status",
"page",
"ltd dba",
"com laude",
"record value",
"ireland",
"germany",
"australia",
"as44786 adobe",
"whitelisted",
"win32",
"present may",
"trojan",
"karaganye",
"regsetvalueexa",
"regdword",
"default",
"show",
"presto",
"regbinary",
"medium",
"create c",
"query",
"double",
"malware",
"copy",
"karagany",
"write",
"showing",
"as35908 krypt",
"as45102 alibaba",
"hong kong",
"data service",
"script script",
"div div",
"title",
"entries",
"files",
"japan asn",
"dns resolutions",
"memory pattern",
"ip traffic",
"domains",
"urls https",
"files c",
"filesgoogle c",
"written c",
"extensions",
"as20446",
"as14061",
"emails",
"threat roundup",
"bashlite",
"jupyter rising",
"vmware",
"security blog",
"april",
"september",
"december",
"january",
"enemybot",
"core"
],
"references": [
"Assurance",
"IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2",
"IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)",
"Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger",
"Domains Contacted: simplesausages.cx.cc adobe.com",
"https://test2.ditproducts.com/dat/wannacry1.html",
"http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"CVE-2023-22518 | CVE-2023-4966"
],
"public": 1,
"adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,",
"targeted_countries": [
"United States of America",
"Netherlands"
],
"malware_families": [
{
"id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn",
"target": null
},
{
"id": "Win32:Karagany-D\\ [Trj]",
"display_name": "Win32:Karagany-D\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Xtoober-650",
"display_name": "Win.Trojan.Xtoober-650",
"target": null
},
{
"id": "Trojan:Win32/Startpage.SS",
"display_name": "Trojan:Win32/Startpage.SS",
"target": "/malware/Trojan:Win32/Startpage.SS"
},
{
"id": "Win.Packed.Pincav-7537597-0",
"display_name": "Win.Packed.Pincav-7537597-0",
"target": null
},
{
"id": "Trojan.Karagany - S0094",
"display_name": "Trojan.Karagany - S0094",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Healthcare",
"Technology",
"Telecommunications",
"Finance - Insurance Sector"
],
"TLP": "green",
"cloned_from": null,
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2950,
"FileHash-MD5": 193,
"FileHash-SHA1": 171,
"FileHash-SHA256": 1885,
"URL": 8907,
"domain": 2945,
"SSLCertFingerprint": 2,
"email": 11,
"CVE": 2
},
"indicator_count": 17066,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "691 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://www.adobe.es",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://www.adobe.es",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780261152.1918051
}