{ "type": "URL", "indicator": "https://www.amazon.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.amazon.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #10", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #29", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain amazon.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain amazon.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3841857816, "indicator": "https://www.amazon.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "69d7273a8c29f4dc6578a263", "name": "CAPE Sandbox - hahahah23.exe 100/100 ZenBox Malicious", "description": " This was found under verizonbuisness.com - hahahah23.exe File type: PE32+ executable (GUI) x86-64, for MS Windows File size: 177.09 MB SHA256: 227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba SHA1: 27d557bd17ee9c8f104acfa4fe6d90b79579e550 MD5: e5ce407c672befa2c5f35613e18a6a6e SHA512: bc3b53b79579571b7d66aac8c4e63d9ac8970f2faa4cf018a042eadfc5411de6dc6ed0ce0e3f8ac10869c1b586f6fcdfce2eeac52bdfaec34f5d1add32788f98 Entropy: 7.999445848230399", "modified": "2026-04-09T04:38:52.131000", "created": "2026-04-09T04:12:42.966000", "tags": [ "default", "shell folders", "inprocserver32", "shell foldersmy", "parent pid", "full path", "command line", "use tab", "commands c", "k dcomlaunch", "windows sandbox", "calls clear", "file type", "crlf line", "ascii text", "pe file", "found", "pe32", "ms windows", "intel", "drops pe", "yara", "malicious", "privateloader", "ffdroider", "code", "babadeda", "winrar", "persistence", "socelars", "info", "next", "verizonbusiness.com", "Quasar RAT", "Predator", "Mercenary spyware", "trusted insider", "united" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775707976&Signature=Z0ONm%2F0wVjw0Rx2N5hAGxIiVIALUbH3x8CZiGv16W%2BYQKg5S7mzalEJws%2BpnQLrXRGD1b6FOVnilnkNSCz8c9S%2Fc63Iubch%2Fy8MOvBGk%2BzLu3CXluRtPSLxKLAX5YEZC6aqrY0sO%2FxbhUKewiNSp0qUkFApC4rVZkxM83bV%2Fze1Sg4Ke1gRUsBLXe0MtidGVHPxoDrlG%2FSM04%2FQL%2B4GV0brv2nHqO3%2FQO9Rebf", "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775708073&Signature=X82moDKFn%2BHd%2FymX0XcBWbmabFgo74nMb1YI36WV0eMYsfGCJsreegYDMxRtgvbVVvcC3dMTo1x96pbi7v%2Fa4lf6euYxNUB%2BNmm8dnqdWwIksIJ8Y0a4GzNL2aCwTzs5YSD8iMN43mMkxR14z%2BbSuTVv76CyoXjFCl2kCaEtIIoJa5iJex4jR7pTVG%2BhrZb3060B9jPvhlJtg0RxbGA%2BcEnqfoSZhpRHNO7n3Qtv7r", "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775708098&Signature=bkoeP8r%2BrKJ5WlhgIc4xoWA04UxYOruaW08Ii84ZB%2FSxnDFXWvpomfR%2FXQ4e2xgSBpB%2Fovj4vr70QMdYRECRBxTU0hgeUOh2EDPkJHuvS7itflXpXbjPnjJI2dm2B7t%2F3mQY6O4q7d1oKLpRBLlTxWa%2FzhU8ejI0MRgPR3v1ryf9vNXF%2FfPoQg74q3Wrn2W3k%2FxC3Mdg0ZNoSH%2FdvV3wRMBDEHyjmLKMUPiQD93iVPxY7xbkjsXd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "FileHash-MD5": 2426, "FileHash-SHA1": 174, "FileHash-SHA256": 1237, "URL": 104, "domain": 8, "hostname": 52 }, "indicator_count": 4066, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-02T23:49:02.973000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 02.16.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-03-04T21:04:10.482000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 32, "FileHash-SHA1": 12, "FileHash-SHA256": 1047, "URL": 4006, "domain": 2126, "email": 412, "hostname": 2122, "CVE": 1 }, "indicator_count": 9805, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "114 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d101365a94bbec9580d998", "name": "StableAI Setup .zip by Brute Denis", "description": "VirusTotal Graph by miniuser (09.22.25)", "modified": "2025-10-22T07:03:32.951000", "created": "2025-09-22T07:56:38.644000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g2ef5990d26324c34bf891ad5b1225bc96eb60a570a9c43959288823058f3150e?theme=dark", "https://www.virustotal.com/gui/collection/a3e98888adbf22ae5cf4b3e57d24241c104b74f3d0a4c848c30d7643dbc0f2ce/iocs", "https://www.virustotal.com/gui/collection/a3e98888adbf22ae5cf4b3e57d24241c104b74f3d0a4c848c30d7643dbc0f2ce/summary" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 27, "FileHash-SHA1": 27, "FileHash-SHA256": 75, "URL": 85, "domain": 6, "hostname": 26 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "173 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686dc31588057c828d99de65", "name": "Darpapox CNC Beacon \u2022 Tethered to T-Mobile iOS", "description": "In November 2021 T-mobile.com/tethering/upsell.do\ttethered to a heavily targeted crime victim\u2019s phone. It\u2019s seemed to trigger an outage in Early November 2021. (IoC\u2019s left out of graph and Pulse) related to Palantir / Foundry/ Twitter \nI can anssume they are being spoofed, unfortunately, this harmful, powerfully dangerous \u2019tool\u2019 is a real a weapon that can and has lead to great harm or death ; is a product for sale.\n\nVictim was assaulted by PT under quasi government care. She has been injured, stalked, nearly assassinated, confronted, recorded, spied on denied healthcare, legal representation & relentlessly bullied online and otherwise to death.\nNOT EVERYONE SHOULD HAVE THIS TOOL. IT IS A WEAPON!", "modified": "2025-08-08T00:05:09.846000", "created": "2025-07-09T01:17:09.803000", "tags": [ "united", "status", "name servers", "search", "servers", "ip address", "creation date", "telekom ag", "present aug", "present dec", "date", "date checked", "url hostname", "server response", "google safe", "results jan", "next related", "domains show", "domain related", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "update", "whois field", "value address", "city bonn", "country de", "dnssec", "domain name", "name", "expiration date", "domain", "passive dns", "urls", "files ip", "address domain", "ip whois", "registrar", "entries", "next associated", "urls show", "results apr", "showing", "present nov", "results dec", "present jan", "results feb", "present mar", "results may", "results mar", "results aug", "present may", "present jun", "results jun", "t-mobile", "log4", "whois show", "record value", "name domain", "admin name", "org deutsche", "whois", "related", "comments", "status hostname", "query type", "address first", "seen last", "seen asn", "country", "emails", "services", "org principal", "financial", "high st", "ag organization", "server", "flag", "contacted hosts", "process details", "found cache", "control", "pragma", "present oct", "present feb", "moved", "name legal", "referral url", "wa status", "updated date", "whois server", "zipcode", "present apr", "content type", "gmt p3p", "noi nid", "cura adma", "deva psaa", "psda our", "sama bus", "pur com", "hostname add", "pulse pulses", "files", "domain add", "show", "copy", "reads", "total", "read", "write", "delete", "kawaii unicorn", "tethering", "iphone", "ios", "apple", "gmt content", "type", "dynamicloader", "yara rule", "medium", "high", "vmware", "msie", "windows nt", "wow64", "slcc2", "media center", "malware", "unknown", "ta0002 defense", "evasion ta0005", "ta0009", "lowfi", "ipv4 add", "location united", "america flag", "ransom", "trojandropper", "yara detections", "lehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "medium risk", "none related", "defender", "pulses none", "cnc beacon", "winver", "search host", "all ipv4", "hosting", "trojan", "tlsv1", "odigicert inc", "cndigicert sha2", "secure server", "stwashington", "lseattle", "as16509", "stcalifornia", "next", "execution", "dock", "persistence", "encrypt", "project", "process32nextw", "service", "t1003", "hacktool", "pe32", "win64", "cowboy server", "jakuz", "mimikatz", "darpapox", "default", "codeoverlap", "date hash", "deletes_executed_files", "ue codeoverlap", "pe section", "ipv4", "arkei stealer", "hash apr", "ma ma", "win32spigot may", "ub euj", "e ep", "ub uj", "program", "python", "write c", "intel", "ms windows", "updater", "launcher", "powershell", "langchinese", "ip check", "http host", "icmp traffic", "win32", "download", "handle", "address range", "cidr", "network name", "allocation type", "entity bns34", "ip addresses", "tsara brashears" ], "references": [ "https://offers.Tethered to target iPhone - T-mobile.com/tethering/upsell.do", "Kawaii-Unicorn.exe", "IDS Detections: Win32/Unruy Rogue Search Host Observed | Yara Detections: EnigmaProtector", "High Priority Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "High Priority Alerts: suricata_alert antivm_bochs_keys physical_drive_access", "Priority Alerts: physical_drive_access dynamic_function_loading resumethread_remote_process", "Priority Alerts: enumerates_running_processes reads_self network_http", "Priority Alerts: packer_entropy antidebug_ntsetinformationthread injection_rwx", "Priority Alerts: createtoolhelp32snapshot_module_enumeration packer_unknown_pe_section_name", "High Priority Alerts IDS: Backdoor.Darpapox/Jaku \u2022 CNAME CnC Beacon (WinVer 6.1)", "High Priority Alerts IDS: ADWARE/InstallCore.Gen Checkin \u2022 Adware.InstallCore.B Checkin", "High Priority Alerts IDS: Arkei Stealer \u2022 Config Download Request Vidar/Arkei Stealer Client Data Upload \u2022 192.157.56.140", "High Priority Alerts IDS: Potentially Unwanted Application AirInstaller CnC Beacon Backdoor.Win32.Hupigon.dpgy Checkin", "High Priority Alerts IDS: Possible Win32/Hupigon ip.txt with a Non-Mozilla UA \u2022 192.157.56.140", "High Priority Alerts IDS: Suspicious Zipped Filename in Outbound POST Request (Passwords.log) M2 \u2022 192.157.56.140", "High Priority Alerts IDS: Win32/Spigot Activity Potentially Unwanted Application AirInstaller \u2022 192.157.56.140", "High Priority Alerts IDS: \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.Renos/Artro Trojan Checkin M1 Garveep POST CnC Beacon \u2022 199.59.243.228", "High Priority Alerts IDS: Best-targeted-traffic.com Spyware Install \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.AdWare.iBryte.C Install Win32/Scudy.A Checkin \u2022 199.59.243.228", "High Priority Alerts IDS: iebaru Spyware User Agent Win32/Snojan Variant Uploading EXE \u2022 199.59.243.228", "High Priority Alerts IDS: (iebar) Dropper Checkin 2 (often scripts.dlv4.com related) \u2022 199.59.243.228", "High Priority Alerts IDS: Downloader (P2P Zeus dropper UA) Zeus Bot Connectivity Check \u2022 199.59.243.228", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing. \u2022 www.anyxxxtube.net \u2022", "ai-fairness-360.dev-lfprojects5.linuxfoundation.org \u2022-ran-sc.dev-lfprojects5.linuxfoundation.org", "[Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) / Jacuz /Mimikatz] continues\u2026.", "[iRegarding - Serving IPs: 192.157.56.141 & 192.157.56.140 for http://tagram.com/ & continues", "http://titkok.com/ Final URL: http://survey-smiles.com/ | URL that may infect its visitors with malware. (DigitalMistica)]", "URL that may infect its visitors with malware. Last 4 references (DigitalMistica)]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "#fp539598-VBS/LoveLetter.BT", "display_name": "#fp539598-VBS/LoveLetter.BT", "target": null }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Backdoor.Darpapox/Jaku", "display_name": "Backdoor.Darpapox/Jaku", "target": null }, { "id": "Win.Trojan.Badur-8004052-0", "display_name": "Win.Trojan.Badur-8004052-0", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Win.Malware.Bzub-9969513-0", "display_name": "Win.Malware.Bzub-9969513-0", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "HackTool:Win32/Mimikatz", "display_name": "HackTool:Win32/Mimikatz", "target": "/malware/HackTool:Win32/Mimikatz" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1130, "FileHash-SHA1": 1094, "FileHash-SHA256": 4332, "URL": 413, "domain": 444, "hostname": 903, "email": 12, "SSLCertFingerprint": 34, "CIDR": 1 }, "indicator_count": 8363, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eeef55e2c1ec3a4fa60ef4", "name": "Android", "description": "", "modified": "2024-10-25T00:05:34.912000", "created": "2024-09-21T16:07:49.763000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "66ebda7ebbe759bb12cebd4a", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MayDay23", "id": "292773", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67176428e4871c2726288178", "name": "Android", "description": "", "modified": "2024-10-25T00:05:34.912000", "created": "2024-10-22T08:36:56.514000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "66eeef55e2c1ec3a4fa60ef4", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jefivnguyen", "id": "293031", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ebda7ebbe759bb12cebd4a", "name": "Andariel Backdoor Activity - Mirai found in Android", "description": "Andariel Backdoor Activity: Cited as a state sponsored threat group, this ET malware Check in) can be accessed by decent hackers. Found in a targets android device. \n\nDevice being used to attack , manipulate accounts , files and every CnC Botmaster task desired.\n\nNote:. Hack responsibly.. Stop attacking innocent civilians.", "modified": "2024-10-19T07:01:20.116000", "created": "2024-09-19T08:02:06.265000", "tags": [ "read c", "write c", "create c", "delete c", "process32nextw", "langchinese", "search", "regsetvalueexa", "medium", "show", "trojan", "malware", "copy", "write", "win32", "tools", "persistence", "execution", "local", "next", "count", "august", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "http", "domain", "passive dns", "urls", "files related", "pulses otx", "unknown", "cname", "files", "ip address", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "france", "nxdomain", "ns nxdomain", "aaaa nxdomain", "name servers", "soa nxdomain", "moved", "creation date", "date", "body", "aaaa", "asnone belgium", "united kingdom", "as16276 ovh", "sha256", "maltaterfb", "showing", "total", "read", "delete", "default", "systemroot", "high", "virtool", "virustotal", "hacktool", "drweb", "vipre", "panda", "et trojan", "msie", "windows nt", "entries", "ascii text", "intel", "ms windows", "salicode", "emails", "expiration date", "france unknown", "taskmail", "task3dmail", "capspdf1", "mboxinbox", "actionshow", "twitter", "canada unknown", "error", "ipv4", "backend", "alfper", "gmt contenttype", "gmt server", "apache", "exploit", "hostname", "dynamicloader", "yara rule", "delivery", "alpha criteria", "inno setup", "format", "june", "stack", "dummy", "overview domain", "pulses", "tags", "related tags", "google safe", "browsing", "record type", "ttl value", "status", "united", "asnone united", "record value", "trojanproxy", "servers", "as15169 google", "for privacy", "domains ii", "ransom", "checks", "bios", "cpu name", "dynamic", "filehash", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "technology", "dns replication", "system label", "cloudflarenet", "apnic", "south brisbane", "asia pacific", "apnic whois", "po box", "cordelia st", "comment", "apnic research", "nethandle", "arin", "andariel", "yara detections", "malware traffic", "nids", "icmp traffic", "dns query", "tcp syn", "resolverror", "externalport", "internalport", "http headers", "home network", "pulse submit", "url analysis", "mitre att", "ta0002 shared", "modules t1129", "windows", "ta0004 access", "t1134", "defense evasion", "xor encrypt", "rc4 prga", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "ob0005 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "hashes c2ae", "capa", "cape sandbox", "lastline", "microsoft", "memory pattern", "dns resolutions", "ip traffic", "urls tcp", "tiger rat", "hi", "helping sabey" ], "references": [ "Andariel Backdoor Activity (Checkin)", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Tonmye", "display_name": "Trojan:Win32/Tonmye", "target": "/malware/Trojan:Win32/Tonmye" }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "VirTool:Win32/CeeInject.GF", "display_name": "VirTool:Win32/CeeInject.GF", "target": "/malware/VirTool:Win32/CeeInject.GF" }, { "id": "ALFPER:PUA:Win32/InstallCore", "display_name": "ALFPER:PUA:Win32/InstallCore", "target": null }, { "id": "Trojan:Win32/Tonmye!rfn", "display_name": "Trojan:Win32/Tonmye!rfn", "target": "/malware/Trojan:Win32/Tonmye!rfn" }, { "id": "Ransom:Win32/Ako", "display_name": "Ransom:Win32/Ako", "target": "/malware/Ransom:Win32/Ako" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ARIN", "display_name": "ARIN", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Trojan[APT]/Win32.Lazarus", "display_name": "Trojan[APT]/Win32.Lazarus", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 889, "FileHash-SHA1": 817, "FileHash-SHA256": 3623, "domain": 755, "SSLCertFingerprint": 1, "URL": 396, "hostname": 732, "email": 14, "CVE": 3, "CIDR": 2 }, "indicator_count": 7232, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cec16f4b510d325dc923a1", "name": "192.70.175.110 - ELF:Hajime-Q _ Mirai Botnet Malware", "description": "Private IP 192.70.175.110 | Reverse DNS\ndns1.state.co.us showed Mirai Bonet Malware. Under same IP address is an 'alleged' unknown REGRU-RU Passive DNS ns1.ns2.www.madunixxx.ru with a password compromise \u00bb PSW.Generic12.WIO. \nIt's unclear if a Frank Muccio Admin of Security Operations doesn't appear to work on premise in Colorado, There is a Frank Di Muccio SGT involved with RallyPoint, , described as a social group for military personal. Rally Point was seen in very early graphs featuring alleged Rallypoint Pornhub Devs, tied to Brian Sabey. I wasn't able to personally verify this employee in Colorado Possibly contracted OIT by state . The link was recently whitelisted.", "modified": "2024-09-27T03:03:09.340000", "created": "2024-08-28T06:19:27.154000", "tags": [ "as36081 state", "location united", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "mirai", "united states", "united", "ave suite", "purpose p5", "country united", "code us", "name security", "nexus category", "phone number", "postal code", "network", "number", "country us", "continent na", "algorithm", "data", "v3 serial", "cus oapple", "public ev", "server ecc", "g1 validity", "organization", "subject public", "rauschenberg", "apple computer", "applec1z", "mitre att", "evasion ta0005", "hashes", "msie", "windows nt", "wow64", "slcc2", "media center", "response", "request", "accept", "location https", "taiwan as3462", "south korea", "as4766 korea", "high", "japan as17676", "china as45090", "http", "search", "contacted", "malware", "copy", "as41231", "united kingdom", "status", "aaaa", "ddos", "whitelisted", "certificate", "moved", "trojan", "virtool", "encrypt", "software", "initial", "passive dns", "scan endpoints", "all scoreblue", "body", "a domains", "linux ubuntu", "creation date", "enterprise open", "ubuntu", "linux", "social", "window", "code", "ipv4", "urls", "files", "reverse dns", "trojan features", "file samples", "files matching", "date hash", "domain", "address", "name servers", "servers", "intel", "icmp traffic", "dead_host", "network_icmp", "osquery_detection", "nolookup_communication", "pulse pulses", "unknown", "as20940", "as15169 google", "dns show", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "province co", "error", "tr tr", "pulse submit", "url analysis", "hostname", "files ip", "asnone united", "ireland unknown", "brazil unknown", "next", "showing", "gmt content", "apache cache", "pragma", "record value", "trojanproxy", "win32", "title", "server", "alf features", "related pulses", "show", "ip address", "asn as16509", "china unknown", "hichina", "hong kong", "as133775 xiamen", "web server", "authentication", "tls web", "full name", "ca issuers", "as44273 host", "a nxdomain", "avast avg", "russia unknown", "germany unknown", "turkey unknown", "japan unknown", "as16276", "france unknown", "service", "ck ids", "t1082", "t1129", "modules", "t1045", "packing", "t1060", "run keys", "startup" ], "references": [ "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "Yara: Mirai_Botnet_Malware", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "Yara Detections Mirai_Botnet_Malware", "Detections Executable and linking format (ELF) file download Over HTTP", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "Detections Executable and linking format (ELF) file download Over HTTP", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College" ], "public": 1, "adversary": "Frank Di MuccioSGT", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DDoS:Linux/Lightaidra", "display_name": "DDoS:Linux/Lightaidra", "target": "/malware/DDoS:Linux/Lightaidra" }, { "id": "Trojan:Win32/Skeeyah", "display_name": "Trojan:Win32/Skeeyah", "target": "/malware/Trojan:Win32/Skeeyah" }, { "id": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "display_name": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "PSW.Generic12.WIO", "display_name": "PSW.Generic12.WIO", "target": null }, { "id": "ELF:Hajime-Q", "display_name": "ELF:Hajime-Q", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Telecommunications", "Government", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1108, "hostname": 627, "domain": 628, "URL": 534, "FileHash-MD5": 377, "FileHash-SHA1": 373, "email": 12, "CIDR": 2, "SSLCertFingerprint": 2 }, "indicator_count": 3663, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3e93798bc3f667ea6fc11", "name": "Neural Network \u2022 Cookie Stealer Malware:Zeppelin-10 \u2022", "description": "\u2022 Neural networks are computing systems with interconnected nodes that work much like neurons in the human brain. Using algorithms, they can recognize hidden patterns and correlations in raw data, cluster and classify it, and \u2013 over time \u2013 continuously learn and improve.\n\n \u2022 CookieStealer: example of cookie hijacking is when a cybercriminal steals a user's cookie containing their login credentials and uses them to gain unauthorized access to the user's account. A cybercriminal can input that data and start a new session with the target's stolen data, steal credit card information, and other personal information. victims of cookie hijacking puts, everyone and everything is at risk.", "modified": "2024-03-20T00:04:12.646000", "created": "2024-02-19T23:50:15.678000", "tags": [ "yara detections", "cape", "all octoseek", "av detections", "ids detections", "alerts", "zeppelin-10", "strings https", "cape_detected_threat", "cookie stealer", "session hijacking", "msdos", "dos executable", "generic", "javascript", "files", "file type", "execution", "azure cloud", "environments", "copy", "neural netw", "moses staff", "contacted", "neural network", "trojan", "spyware", "PyDCrypt", "DCSrv", "remote", "modify" ], "references": [ "Yara Detections: Zeppelin_10", "Yara: INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore from ruleset indicator_suspicious by ditekSHen", "Yara: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM from ruleset indicator_suspicious by ditekMALWARE_Win_CookieStealer from ruleset malware by ditekSHen", "Yara: MALWARE_Win_CookieStealer from ruleset malware by ditekSHen", "https://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512 RULE_AUTHOR: Florian Roth", "http://www.znsjis.top/Home/Index/getdata", "Attacked Device: device-local-a69bf612-98a8-4e4b-b6be-d8297272676a.remotewd.com", "Attacked Device: device-local-b9d42a82-af52-4bed-9ef3-3f8beb3de9ff.remotewd.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zeppelin-10", "display_name": "Zeppelin-10", "target": null }, { "id": "ABRisk.PTFV-1", "display_name": "ABRisk.PTFV-1", "target": null }, { "id": "Virus.Scriptxe", "display_name": "Virus.Scriptxe", "target": null }, { "id": "TEL:Exploit:Win32/ShellPdb.B", "display_name": "TEL:Exploit:Win32/ShellPdb.B", "target": null }, { "id": "Win.Malware.Clipbanker-9873068-0", "display_name": "Win.Malware.Clipbanker-9873068-0", "target": null }, { "id": "Trojan:Win32/Moses", "display_name": "Trojan:Win32/Moses", "target": "/malware/Trojan:Win32/Moses" } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 112, "URL": 91, "hostname": 27, "domain": 17 }, "indicator_count": 285, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "754 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections Mirai_Botnet_Malware", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "[iRegarding - Serving IPs: 192.157.56.141 & 192.157.56.140 for http://tagram.com/ & continues", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Detections Executable and linking format (ELF) file download Over HTTP", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "High Priority Alerts IDS: Win32/Spigot Activity Potentially Unwanted Application AirInstaller \u2022 192.157.56.140", "Yara Detections: Nullsoft_NSIS ...", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "http://www.znsjis.top/Home/Index/getdata", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "High Priority Alerts IDS: Backdoor.Darpapox/Jaku \u2022 CNAME CnC Beacon (WinVer 6.1)", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "IDS: WGET Command Specifying Output in HTTP Headers", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "Attacked Device: device-local-b9d42a82-af52-4bed-9ef3-3f8beb3de9ff.remotewd.com", "High Priority Alerts IDS: Possible Win32/Hupigon ip.txt with a Non-Mozilla UA \u2022 192.157.56.140", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775707976&Signature=Z0ONm%2F0wVjw0Rx2N5hAGxIiVIALUbH3x8CZiGv16W%2BYQKg5S7mzalEJws%2BpnQLrXRGD1b6FOVnilnkNSCz8c9S%2Fc63Iubch%2Fy8MOvBGk%2BzLu3CXluRtPSLxKLAX5YEZC6aqrY0sO%2FxbhUKewiNSp0qUkFApC4rVZkxM83bV%2Fze1Sg4Ke1gRUsBLXe0MtidGVHPxoDrlG%2FSM04%2FQL%2B4GV0brv2nHqO3%2FQO9Rebf", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "https://offers.Tethered to target iPhone - T-mobile.com/tethering/upsell.do", "http://titkok.com/ Final URL: http://survey-smiles.com/ | URL that may infect its visitors with malware. (DigitalMistica)]", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "URL that may infect its visitors with malware. Last 4 references (DigitalMistica)]", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Yara Detections: Zeppelin_10", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "Kawaii-Unicorn.exe", "High Priority Alerts IDS: Potentially Unwanted Application AirInstaller CnC Beacon Backdoor.Win32.Hupigon.dpgy Checkin", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)", "[Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) / Jacuz /Mimikatz] continues\u2026.", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College", "Attacked Device: device-local-a69bf612-98a8-4e4b-b6be-d8297272676a.remotewd.com", "High Priority Alerts IDS: \u2022 199.59.243.228", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775708098&Signature=bkoeP8r%2BrKJ5WlhgIc4xoWA04UxYOruaW08Ii84ZB%2FSxnDFXWvpomfR%2FXQ4e2xgSBpB%2Fovj4vr70QMdYRECRBxTU0hgeUOh2EDPkJHuvS7itflXpXbjPnjJI2dm2B7t%2F3mQY6O4q7d1oKLpRBLlTxWa%2FzhU8ejI0MRgPR3v1ryf9vNXF%2FfPoQg74q3Wrn2W3k%2FxC3Mdg0ZNoSH%2FdvV3wRMBDEHyjmLKMUPiQD93iVPxY7xbkjsXd", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "High Priority Alerts IDS: Win32.Renos/Artro Trojan Checkin M1 Garveep POST CnC Beacon \u2022 199.59.243.228", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "HTTP traffic on port 443 (POST)", "Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time...", "https://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512 RULE_AUTHOR: Florian Roth", "https://www.virustotal.com/graph/embed/g2ef5990d26324c34bf891ad5b1225bc96eb60a570a9c43959288823058f3150e?theme=dark", "High Priority Alerts IDS: iebaru Spyware User Agent Win32/Snojan Variant Uploading EXE \u2022 199.59.243.228", "Cart.Guru", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Priority Alerts: createtoolhelp32snapshot_module_enumeration packer_unknown_pe_section_name", "Yara: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM from ruleset indicator_suspicious by ditekMALWARE_Win_CookieStealer from ruleset malware by ditekSHen", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "High Priority Alerts IDS: Downloader (P2P Zeus dropper UA) Zeus Bot Connectivity Check \u2022 199.59.243.228", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Priority Alerts: physical_drive_access dynamic_function_loading resumethread_remote_process", "High Priority Alerts IDS: ADWARE/InstallCore.Gen Checkin \u2022 Adware.InstallCore.B Checkin", "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "High Priority Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "Obfuscation: XOR-based String Encryption (0x20)", "High Priority Alerts IDS: Arkei Stealer \u2022 Config Download Request Vidar/Arkei Stealer Client Data Upload \u2022 192.157.56.140", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc.", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "T1110.001 (Brute Force: Password Guessing)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing. \u2022 www.anyxxxtube.net \u2022", "ai-fairness-360.dev-lfprojects5.linuxfoundation.org \u2022-ran-sc.dev-lfprojects5.linuxfoundation.org", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://www.virustotal.com/gui/collection/a3e98888adbf22ae5cf4b3e57d24241c104b74f3d0a4c848c30d7643dbc0f2ce/summary", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com", "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775708073&Signature=X82moDKFn%2BHd%2FymX0XcBWbmabFgo74nMb1YI36WV0eMYsfGCJsreegYDMxRtgvbVVvcC3dMTo1x96pbi7v%2Fa4lf6euYxNUB%2BNmm8dnqdWwIksIJ8Y0a4GzNL2aCwTzs5YSD8iMN43mMkxR14z%2BbSuTVv76CyoXjFCl2kCaEtIIoJa5iJex4jR7pTVG%2BhrZb3060B9jPvhlJtg0RxbGA%2BcEnqfoSZhpRHNO7n3Qtv7r", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "High Priority Alerts IDS: (iebar) Dropper Checkin 2 (often scripts.dlv4.com related) \u2022 199.59.243.228", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Yara: Mirai_Botnet_Malware", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Yara: INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore from ruleset indicator_suspicious by ditekSHen", "IDS Detections: Win32/Unruy Rogue Search Host Observed | Yara Detections: EnigmaProtector", "URLscanio, FSio, vT", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "Yara Detections: Delphi", "Andariel group \u00bb State-sponsored threat actor & Defense media", "Priority Alerts: packer_entropy antidebug_ntsetinformationthread injection_rwx", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "High Priority Alerts IDS: Best-targeted-traffic.com Spyware Install \u2022 199.59.243.228", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "Andariel Backdoor Activity (Checkin)", "Yara: MALWARE_Win_CookieStealer from ruleset malware by ditekSHen", "High Priority Alerts: suricata_alert antivm_bochs_keys physical_drive_access", "Domains Contacted: ntp.ubuntu.com", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "High Priority Alerts IDS: Suspicious Zipped Filename in Outbound POST Request (Passwords.log) M2 \u2022 192.157.56.140", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "High Priority Alerts IDS: Win32.AdWare.iBryte.C Install Win32/Scudy.A Checkin \u2022 199.59.243.228", "https://www.virustotal.com/gui/collection/a3e98888adbf22ae5cf4b3e57d24241c104b74f3d0a4c848c30d7643dbc0f2ce/iocs", "Priority Alerts: enumerates_running_processes reads_self network_http" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Palantir Pegasus", "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "NSO", "Frank Di MuccioSGT" ], "malware_families": [ "Win.malware.bzub-9969513-0", "#fp539598-vbs/loveletter.bt", "Alfper:pua:win32/installcore", "Shellcode", "Ddos:linux/lightaidra", "Virtool:win32/obfuscator", "Backdoor:linux/mirai.b", "Pws:win32/zbot!ci", "Elf:ddos-y\\ [trj]", "Abrisk.ptfv-1", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Psw.generic12.wio", "Trojan:win32/bagsu!rfn", "Botnet", "Win.trojan.tofsee-6840338-0", "Win.trojan.agent", "Trojan[apt]/win32.lazarus", "Tel:exploit:win32/shellpdb.b", "Trojandownloader:win32/fosniw", "Ransom:win32/haperlock", "Trojan:win32/qqpass", "Virtool:win32/ceeinject.gf", "Elf:mirai-bz\\ [trj]", "Win.dropper.unruy-9994363-0", "Alf:trojan:msil/blackfus.c", "#lowfienabledtcontinueafterunpacking", "Mirai_botnet_malware", "Win.malware.clipbanker-9873068-0", "Zeppelin-10", "Elf:hajime-q", "Apnic", "Win32:rootkit", "Trojan:win32/zombie.a", "Win.trojan.barys-10005825-0", "Trojanspy", "Pegasus", "Backdoor.darpapox/jaku", "Hacktool:win32/mimikatz", "Trojan:win32/moses", "Backdoor:win32/plugx.n!", "Virus.scriptxe", "Unix.trojan.mirai-6976991-0", "Win.trojan.emotet-7545664-0", "Win32:evo-gen\\ [susp]", "Trojanclicker:win32/frosparf", "Win32:backdoor", "Alf:jasyp:trojandownloader:win32/upatre!atmn", "Trojandownloader:win32/cutwail", "Trojan:win32/smokeloader", "Virtool:win32/obfuscator.ahu", "Win.packed.razy-6847895-0", "Unix.trojan.mirai-6981169-0", "Tofsee", "Win32:malware", "Trojan:win32/skeeyah", "Win32:agent", "Pony", "Trojan:win32/tonmye", "Ransom:win32/ako", "Trojan:win32/tonmye!rfn", "Vb flash", "Win.dropper.qqpass-7194329-0", "Pegasus - mob-s0005", "Rxr", "Trojan:win64/coinminer.we", "Win.malware.snojan-6775202-0", "#lowfi:win32/sandboxproductid", "Win32:kamso", "Win32:malob-bx\\ [cryp]", "Win.trojan.badur-8004052-0", "Mirai", "Alf:trojan:win32/flystudio.pa!mtb", "Ransom:win32/haperlock.a", "Trojanproxy:win32/ceutv.a", "Arin", "Malware family: stealthworker / gobrut", "Worm:win32/autorun", "Trojan:win32/dorv.a" ], "industries": [ "Legal", "Finance", "Government", "Retail", "Telecommunications", "Civilian society", "Education", "Healthcare", "Hospitality", "Technology", "Civil society", "Transportation" ], "unique_indicators": 82974 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/amazon.com", "whois": "http://whois.domaintools.com/amazon.com", "domain": "amazon.com", "hostname": "www.amazon.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "69d7273a8c29f4dc6578a263", "name": "CAPE Sandbox - hahahah23.exe 100/100 ZenBox Malicious", "description": " This was found under verizonbuisness.com - hahahah23.exe File type: PE32+ executable (GUI) x86-64, for MS Windows File size: 177.09 MB SHA256: 227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba SHA1: 27d557bd17ee9c8f104acfa4fe6d90b79579e550 MD5: e5ce407c672befa2c5f35613e18a6a6e SHA512: bc3b53b79579571b7d66aac8c4e63d9ac8970f2faa4cf018a042eadfc5411de6dc6ed0ce0e3f8ac10869c1b586f6fcdfce2eeac52bdfaec34f5d1add32788f98 Entropy: 7.999445848230399", "modified": "2026-04-09T04:38:52.131000", "created": "2026-04-09T04:12:42.966000", "tags": [ "default", "shell folders", "inprocserver32", "shell foldersmy", "parent pid", "full path", "command line", "use tab", "commands c", "k dcomlaunch", "windows sandbox", "calls clear", "file type", "crlf line", "ascii text", "pe file", "found", "pe32", "ms windows", "intel", "drops pe", "yara", "malicious", "privateloader", "ffdroider", "code", "babadeda", "winrar", "persistence", "socelars", "info", "next", "verizonbusiness.com", "Quasar RAT", "Predator", "Mercenary spyware", "trusted insider", "united" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775707976&Signature=Z0ONm%2F0wVjw0Rx2N5hAGxIiVIALUbH3x8CZiGv16W%2BYQKg5S7mzalEJws%2BpnQLrXRGD1b6FOVnilnkNSCz8c9S%2Fc63Iubch%2Fy8MOvBGk%2BzLu3CXluRtPSLxKLAX5YEZC6aqrY0sO%2FxbhUKewiNSp0qUkFApC4rVZkxM83bV%2Fze1Sg4Ke1gRUsBLXe0MtidGVHPxoDrlG%2FSM04%2FQL%2B4GV0brv2nHqO3%2FQO9Rebf", "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775708073&Signature=X82moDKFn%2BHd%2FymX0XcBWbmabFgo74nMb1YI36WV0eMYsfGCJsreegYDMxRtgvbVVvcC3dMTo1x96pbi7v%2Fa4lf6euYxNUB%2BNmm8dnqdWwIksIJ8Y0a4GzNL2aCwTzs5YSD8iMN43mMkxR14z%2BbSuTVv76CyoXjFCl2kCaEtIIoJa5iJex4jR7pTVG%2BhrZb3060B9jPvhlJtg0RxbGA%2BcEnqfoSZhpRHNO7n3Qtv7r", "https://vtbehaviour.commondatastorage.googleapis.com/227e72283126817e759c381f2889ed4cd7bb58f94d67b7c047eef19ee99c19ba_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775708098&Signature=bkoeP8r%2BrKJ5WlhgIc4xoWA04UxYOruaW08Ii84ZB%2FSxnDFXWvpomfR%2FXQ4e2xgSBpB%2Fovj4vr70QMdYRECRBxTU0hgeUOh2EDPkJHuvS7itflXpXbjPnjJI2dm2B7t%2F3mQY6O4q7d1oKLpRBLlTxWa%2FzhU8ejI0MRgPR3v1ryf9vNXF%2FfPoQg74q3Wrn2W3k%2FxC3Mdg0ZNoSH%2FdvV3wRMBDEHyjmLKMUPiQD93iVPxY7xbkjsXd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "FileHash-MD5": 2426, "FileHash-SHA1": 174, "FileHash-SHA256": 1237, "URL": 104, "domain": 8, "hostname": 52 }, "indicator_count": 4066, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-02T23:49:02.973000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 02.16.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-03-04T21:04:10.482000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 32, "FileHash-SHA1": 12, "FileHash-SHA256": 1047, "URL": 4006, "domain": 2126, "email": 412, "hostname": 2122, "CVE": 1 }, "indicator_count": 9805, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa81048ad057eb9beaa", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. | \nWhere does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.595000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69519fa818f84531ce6becc9", "name": "Cart.Guru Malware Hosting - Malware Packed _Pegasus Espionage Detected (Positive)", "description": "I really love using this tool (LevelBlue -OTX) In all reality this information would have been sent to the government. CISA , NSA, Homeland Security, Citizens Lab, Canada based international organization would have been involved years ago. Where does this information goes. Citizens Lab would has been attempting to track 1000\u2019s of affected Pegasus targets. OTX detected and tagged Pegasus. I suspected it. This is from a Palantir Malware Hosting Honey Pot. \n\nWhen Pegasus was discovered in the wild , credited to those who found what the real team (T8) found, Citizens Lab then conducted tests in 2021\non the cell phone of Jamal Khashoggi, a Saudi dissident journalist. Pegasus is a kill list. \n\nVictims need help. There are a few people even on this platform that are on this list. Unless it\u2019s the US government who has ordered these actions, I don\u2019t know what is going on. The targets are not only innocent, some are crime victims, some are going mad. AT&T corporate easily confirms LevelBlue is legitimate.", "modified": "2026-01-27T21:02:45.343000", "created": "2025-12-28T21:22:48.383000", "tags": [ "united", "servers", "moved", "ip address", "record value", "encrypt", "present jul", "present jun", "trojandropper", "passive dns", "ipv4 add", "urls", "files", "virtool", "united states", "dynamicloader", "directui", "element", "classinfobase", "write c", "medium", "yara rule", "msvisualbasic60", "high", "hwndelement", "explorer", "write", "movie", "insert", "program", "python", "http traffic", "trojan generic", "search", "cnc activity", "delphi", "win32", "launcher", "pony", "fareit", "malware", "push", "msie", "windows nt", "generic", "checkin", "post", "yara detections", "rxr", "inject", "memcommit", "cryptexportkey", "invalid pointer", "regsetvalueexa", "solutions ltd", "read c", "regdword", "mozilla", "persistence", "execution", "android", "unknown", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "initial access", "defense evasion", "spawns", "t1590 gather", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "pattern match", "mitre att", "ck matrix", "href", "ascii text", "starfield", "hybrid", "general", "local", "path", "iframe", "palantir", "present nov", "present oct", "status", "present apr", "present dec", "cryp", "date", "trojan", "title", "name servers", "windows", "t1060", "disables proxy", "dock", "pegasus", "rootkit", "backdoor", "susp", "win32qqpass feb", "worm", "msr win32", "win64", "process32nextw", "findwindowa", "file execution", "writeconsolea", "procexpl", "file v2", "document", "document file", "v2 document", "lost", "tools", "pecompact", "media", "autorun", "service", "post http", "delete", "alerts", "emotet", "rkt", "autorun", "worm", "plugins", "title error", "body doctype", "html public", "w3cdtd html", "html head", "domain", "expiration date", "hostname add", "pulse pulses", "contacted hosts", "sha1", "sha256", "show technique", "strings", "t1480 execution", "signing defense", "script urls", "a domains", "unknown ns", "texas flyover", "script domains", "script script", "meta", "window", "process details", "contacted" ], "references": [ "Cart.Guru", "Yara Detections: Delphi", "Chekin -Fareit/Pony Downloader Checkin 2 \u2022 Generic - POST To gate.php with no referer", "MSIL/Injector.RXR Variant CnC Activity Trojanr Generic - POST To gate.php with no referer", "HTTP traffic on port 443 (POST)", "IDS Detections Observed Suspicious UA (NSIS_Inetc (Mozilla)) Observed DNS Query", "Alerts: crime_win_cutwail_stage2 infostealer_browser infostealer_cookies recon_programs", "Alerts: banker_zeus_url procmem_yara suricata_alert infostealer_ftp dynamic_function_loading reads_self network_cnc_http", "Alerts: network_icmp persistence_autorun deletes_executed_files modifies_certificates", "Alerts: ransomware_dropped_files dumped_buffer network_cnc_http network_http", "Alerts: network_http_post allocates_rwx antisandbox_sleep antivm_disk_size creates_exe", "Alerts: exe_appdata antivm_network_adapters network_downloader_exe privilege_luid_check", "Alerts: checks_debugger generates_crypto_key modifies_proxy_wpad", "Yara Detections: Nullsoft_NSIS ...", "Win32:Evo-gen\\ [Susp] http://downwingbuttons.site/7/huge.dat", "Small: Win32:Malware-gen (Small) Yara Detections stack_string \u2022 Domains Contacted: amazon.com", "Small_Yara: IP\u2019s Contacted 176.32.103.205 205.251.242.103", "Small_Alerts: persistence_autorun disables_proxy removes_zoneid_ads allocates_rwx", "Small _Alerts: antisandbox_foregroundwindows suspicious_process stealth_window packer_entropy", "Emotet IDS Detections: Win32/Emotet CnC Checkin Response", "Emotet Yara: Yara Detections ConventionEngine_Term_Desktop , ConventionEngine_Term_Users" ], "public": 1, "adversary": "Palantir Pegasus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RXR", "display_name": "RXR", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Bagsu!rfn", "display_name": "Trojan:Win32/Bagsu!rfn", "target": "/malware/Trojan:Win32/Bagsu!rfn" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "#Lowfi:Win32/SandboxProductId", "display_name": "#Lowfi:Win32/SandboxProductId", "target": "/malware/#Lowfi:Win32/SandboxProductId" }, { "id": "Win32:Backdoor", "display_name": "Win32:Backdoor", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "ALF:Trojan:MSIL/BlackFus.C", "display_name": "ALF:Trojan:MSIL/BlackFus.C", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "TrojanProxy:Win32/Ceutv.A", "display_name": "TrojanProxy:Win32/Ceutv.A", "target": "/malware/TrojanProxy:Win32/Ceutv.A" }, { "id": "VirTool:Win32/Obfuscator.AHU", "display_name": "VirTool:Win32/Obfuscator.AHU", "target": "/malware/VirTool:Win32/Obfuscator.AHU" }, { "id": "ShellCode", "display_name": "ShellCode", "target": null }, { "id": "Win32:Rootkit", "display_name": "Win32:Rootkit", "target": null }, { "id": "VB Flash", "display_name": "VB Flash", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win.Packed.Razy-6847895-0", "display_name": "Win.Packed.Razy-6847895-0", "target": null }, { "id": "Backdoor:Win32/Plugx.N!", "display_name": "Backdoor:Win32/Plugx.N!", "target": "/malware/Backdoor:Win32/Plugx.N!" }, { "id": "Win.Dropper.QQpass-7194329-0", "display_name": "Win.Dropper.QQpass-7194329-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win32:Agent", "display_name": "Win32:Agent", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "Win.Trojan.Emotet-7545664-0", "display_name": "Win.Trojan.Emotet-7545664-0", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2362, "domain": 449, "hostname": 710, "email": 6, "FileHash-MD5": 260, "FileHash-SHA1": 201, "FileHash-SHA256": 333, "SSLCertFingerprint": 27 }, "indicator_count": 4348, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "114 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d101365a94bbec9580d998", "name": "StableAI Setup .zip by Brute Denis", "description": "VirusTotal Graph by miniuser (09.22.25)", "modified": "2025-10-22T07:03:32.951000", "created": "2025-09-22T07:56:38.644000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g2ef5990d26324c34bf891ad5b1225bc96eb60a570a9c43959288823058f3150e?theme=dark", "https://www.virustotal.com/gui/collection/a3e98888adbf22ae5cf4b3e57d24241c104b74f3d0a4c848c30d7643dbc0f2ce/iocs", "https://www.virustotal.com/gui/collection/a3e98888adbf22ae5cf4b3e57d24241c104b74f3d0a4c848c30d7643dbc0f2ce/summary" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 27, "FileHash-SHA1": 27, "FileHash-SHA256": 75, "URL": 85, "domain": 6, "hostname": 26 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "173 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686dc31588057c828d99de65", "name": "Darpapox CNC Beacon \u2022 Tethered to T-Mobile iOS", "description": "In November 2021 T-mobile.com/tethering/upsell.do\ttethered to a heavily targeted crime victim\u2019s phone. It\u2019s seemed to trigger an outage in Early November 2021. (IoC\u2019s left out of graph and Pulse) related to Palantir / Foundry/ Twitter \nI can anssume they are being spoofed, unfortunately, this harmful, powerfully dangerous \u2019tool\u2019 is a real a weapon that can and has lead to great harm or death ; is a product for sale.\n\nVictim was assaulted by PT under quasi government care. She has been injured, stalked, nearly assassinated, confronted, recorded, spied on denied healthcare, legal representation & relentlessly bullied online and otherwise to death.\nNOT EVERYONE SHOULD HAVE THIS TOOL. IT IS A WEAPON!", "modified": "2025-08-08T00:05:09.846000", "created": "2025-07-09T01:17:09.803000", "tags": [ "united", "status", "name servers", "search", "servers", "ip address", "creation date", "telekom ag", "present aug", "present dec", "date", "date checked", "url hostname", "server response", "google safe", "results jan", "next related", "domains show", "domain related", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "update", "whois field", "value address", "city bonn", "country de", "dnssec", "domain name", "name", "expiration date", "domain", "passive dns", "urls", "files ip", "address domain", "ip whois", "registrar", "entries", "next associated", "urls show", "results apr", "showing", "present nov", "results dec", "present jan", "results feb", "present mar", "results may", "results mar", "results aug", "present may", "present jun", "results jun", "t-mobile", "log4", "whois show", "record value", "name domain", "admin name", "org deutsche", "whois", "related", "comments", "status hostname", "query type", "address first", "seen last", "seen asn", "country", "emails", "services", "org principal", "financial", "high st", "ag organization", "server", "flag", "contacted hosts", "process details", "found cache", "control", "pragma", "present oct", "present feb", "moved", "name legal", "referral url", "wa status", "updated date", "whois server", "zipcode", "present apr", "content type", "gmt p3p", "noi nid", "cura adma", "deva psaa", "psda our", "sama bus", "pur com", "hostname add", "pulse pulses", "files", "domain add", "show", "copy", "reads", "total", "read", "write", "delete", "kawaii unicorn", "tethering", "iphone", "ios", "apple", "gmt content", "type", "dynamicloader", "yara rule", "medium", "high", "vmware", "msie", "windows nt", "wow64", "slcc2", "media center", "malware", "unknown", "ta0002 defense", "evasion ta0005", "ta0009", "lowfi", "ipv4 add", "location united", "america flag", "ransom", "trojandropper", "yara detections", "lehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "medium risk", "none related", "defender", "pulses none", "cnc beacon", "winver", "search host", "all ipv4", "hosting", "trojan", "tlsv1", "odigicert inc", "cndigicert sha2", "secure server", "stwashington", "lseattle", "as16509", "stcalifornia", "next", "execution", "dock", "persistence", "encrypt", "project", "process32nextw", "service", "t1003", "hacktool", "pe32", "win64", "cowboy server", "jakuz", "mimikatz", "darpapox", "default", "codeoverlap", "date hash", "deletes_executed_files", "ue codeoverlap", "pe section", "ipv4", "arkei stealer", "hash apr", "ma ma", "win32spigot may", "ub euj", "e ep", "ub uj", "program", "python", "write c", "intel", "ms windows", "updater", "launcher", "powershell", "langchinese", "ip check", "http host", "icmp traffic", "win32", "download", "handle", "address range", "cidr", "network name", "allocation type", "entity bns34", "ip addresses", "tsara brashears" ], "references": [ "https://offers.Tethered to target iPhone - T-mobile.com/tethering/upsell.do", "Kawaii-Unicorn.exe", "IDS Detections: Win32/Unruy Rogue Search Host Observed | Yara Detections: EnigmaProtector", "High Priority Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "High Priority Alerts: suricata_alert antivm_bochs_keys physical_drive_access", "Priority Alerts: physical_drive_access dynamic_function_loading resumethread_remote_process", "Priority Alerts: enumerates_running_processes reads_self network_http", "Priority Alerts: packer_entropy antidebug_ntsetinformationthread injection_rwx", "Priority Alerts: createtoolhelp32snapshot_module_enumeration packer_unknown_pe_section_name", "High Priority Alerts IDS: Backdoor.Darpapox/Jaku \u2022 CNAME CnC Beacon (WinVer 6.1)", "High Priority Alerts IDS: ADWARE/InstallCore.Gen Checkin \u2022 Adware.InstallCore.B Checkin", "High Priority Alerts IDS: Arkei Stealer \u2022 Config Download Request Vidar/Arkei Stealer Client Data Upload \u2022 192.157.56.140", "High Priority Alerts IDS: Potentially Unwanted Application AirInstaller CnC Beacon Backdoor.Win32.Hupigon.dpgy Checkin", "High Priority Alerts IDS: Possible Win32/Hupigon ip.txt with a Non-Mozilla UA \u2022 192.157.56.140", "High Priority Alerts IDS: Suspicious Zipped Filename in Outbound POST Request (Passwords.log) M2 \u2022 192.157.56.140", "High Priority Alerts IDS: Win32/Spigot Activity Potentially Unwanted Application AirInstaller \u2022 192.157.56.140", "High Priority Alerts IDS: \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.Renos/Artro Trojan Checkin M1 Garveep POST CnC Beacon \u2022 199.59.243.228", "High Priority Alerts IDS: Best-targeted-traffic.com Spyware Install \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.AdWare.iBryte.C Install Win32/Scudy.A Checkin \u2022 199.59.243.228", "High Priority Alerts IDS: iebaru Spyware User Agent Win32/Snojan Variant Uploading EXE \u2022 199.59.243.228", "High Priority Alerts IDS: (iebar) Dropper Checkin 2 (often scripts.dlv4.com related) \u2022 199.59.243.228", "High Priority Alerts IDS: Downloader (P2P Zeus dropper UA) Zeus Bot Connectivity Check \u2022 199.59.243.228", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing. \u2022 www.anyxxxtube.net \u2022", "ai-fairness-360.dev-lfprojects5.linuxfoundation.org \u2022-ran-sc.dev-lfprojects5.linuxfoundation.org", "[Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) / Jacuz /Mimikatz] continues\u2026.", "[iRegarding - Serving IPs: 192.157.56.141 & 192.157.56.140 for http://tagram.com/ & continues", "http://titkok.com/ Final URL: http://survey-smiles.com/ | URL that may infect its visitors with malware. (DigitalMistica)]", "URL that may infect its visitors with malware. Last 4 references (DigitalMistica)]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "#fp539598-VBS/LoveLetter.BT", "display_name": "#fp539598-VBS/LoveLetter.BT", "target": null }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Backdoor.Darpapox/Jaku", "display_name": "Backdoor.Darpapox/Jaku", "target": null }, { "id": "Win.Trojan.Badur-8004052-0", "display_name": "Win.Trojan.Badur-8004052-0", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Win.Malware.Bzub-9969513-0", "display_name": "Win.Malware.Bzub-9969513-0", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "HackTool:Win32/Mimikatz", "display_name": "HackTool:Win32/Mimikatz", "target": "/malware/HackTool:Win32/Mimikatz" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1130, "FileHash-SHA1": 1094, "FileHash-SHA256": 4332, "URL": 413, "domain": 444, "hostname": 903, "email": 12, "SSLCertFingerprint": 34, "CIDR": 1 }, "indicator_count": 8363, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.amazon.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.amazon.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776073894.341924 }