{ "type": "URL", "indicator": "https://www.amii.ca/industry-solutions/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.amii.ca/industry-solutions/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3933407403, "indicator": "https://www.amii.ca/industry-solutions/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "590 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ad229b8d28f906a37991f2", "name": "amii[.]ca", "description": "Compromised: one of Canada\u2019s three centres of AI excellence as part of the Pan-Canadian AI Strategy\n\nImpact in Business\nWe\u2019ve invested in advanced AI research for decades. Now, we\u2019re here to steer your company to the best path forward to adopt these breakthroughs.\n\nWe partner with companies of all sizes, across industries, to drive innovation strategy and provide practical guidance and advice, corporate training and talent recruitment services. The true potential of AI is unlocked when you build internal capabilities, and that\u2019s where we excel.", "modified": "2024-10-15T14:49:05.330000", "created": "2024-08-02T18:16:59.312000", "tags": [ "UAlberta" ], "references": [ "https://www.virustotal.com/graph/embed/g9ce2c9fcce4e40cd86c9dad48fafd8a4b2295f789a8c47c5bab33543389ec78d?theme=dark", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/summary", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/iocs", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/graph", "https://tria.ge/240802-w2gz4azcpc/behavioral1", "https://www.virustotal.com/graph/embed/g731708921ce14aa8bbffb548afa0d3485ede2d0513b24395a238c28c12bf540b?theme=dark", "https://dnstwist.it/#d4ef489c-8d0c-4b09-81da-1ec3a95a9687", "https://www.amii.ca/about/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3731, "hostname": 1735, "URL": 2090, "FileHash-MD5": 95, "FileHash-SHA1": 95, "FileHash-SHA256": 1818, "CVE": 54 }, "indicator_count": 9618, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c9bb42dd32d415f9aaa06c", "name": "Botnet exchange | NORAD Tracking | Mirai | Injection | Spyware | Remote executions", "description": "North American Aerospace Defense Command NORAD - http://superanalbizflowforum.com/tsara-lynn-brashears (really?)\nwww.norad.mil , www.northcom.mil, dodcio.defense.gov, www.defense.gov\nwww.dodig.mil, www.foia.gov , prhome.defense.gov\n, www.ourmilitary.com, www.noradsanta.org , www.web.dma.mil \nIt's hard to tell or believe military and DoD conduct business this way. I tend to think scam abuse. Exception: target, escorted by security to appt in a DHS secured b,dg. She was then told to leave after receptionist received a call stating target was a threat. Entire floor was secured off. TB beyond upset w/ my carelessness of veteran & other comments. Targets Father, brother uncles, cousins, all served honorably w/some now terminally affected &mothers passed on from Camp Lejeune related complications. Father, an engineer & veteran worked on AEGIS weapons system test team for 3 now potentially decommissioned military Destroyers. \nI apologize prefusly for comment, MIL involvement was prevalent; it remains cloudy.", "modified": "2024-09-23T09:03:54.724000", "created": "2024-08-24T10:51:46.907000", "tags": [ "server", "whois lookup", "domain name", "llc sponsoring", "registrar iana", "referral url", "tsara brashears", "referrer", "porn", "networks", "botnet campaign", "pyinstaller", "apple", "password", "cybercrime", "it consultant", "metro", "skynet", "analyzer paste", "iocs", "hostnames", "urls http", "cyber threat", "cnc server", "ibm xforce", "exchange", "covid19", "tracker", "exchange botnet", "command", "control server", "keybase", "citadel", "stealer", "zeus", "radamant", "kovter", "zbot", "suppobox", "simda", "virut", "kraken", "amonetize", "msil", "phishing", "malicious", "feodo", "united", "germany unknown", "as133775 xiamen", "unknown", "china unknown", "passive dns", "domain", "search", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware site", "malicious site", "malware", "malicious url", "files domain", "files related", "related tags", "none md5", "as35908 krypt", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "status", "record value", "all scoreblue", "meta", "trend today", "link", "japan unknown", "script urls", "script script", "name servers", "script domains", "accept", "encrypt", "gmt content", "gmt etag", "ipv4", "url analysis", "pragma", "scan endpoints", "pulse submit", "urls", "body", "date", "hostname", "pulse pulses", "react app", "verizon feed", "bq aug", "typeof e", "object", "wds socket", "error", "path max", "path", "cookie", "suspicious", "virtool", "info", "trace", "moved", "aaaa nxdomain", "files", "a domains", "as9371 sakura", "service", "servers", "xml title", "dnssec", "showing", "next", "xserver", "title", "file", "type texthtml", "sha256", "read c", "write c", "kryptik", "tls sni", "style ssl", "cert", "amazon profile", "show", "cobaltstrike", "trojan", "copy", "write", "win32", "persistence", "execution", "media", "autorun", "delete c", "trojanspy", "entries", "bytes", "jpeg image", "ole control", "menu", "dock zone", "delphi", "dcom", "form", "canvas", "nxdomain", "ds nxdomain", "mirai variant", "useragent", "hello", "apache", "world", "inbound", "outbound", "hackingtrio ua", "activity mirai", "http traffic", "malware beacon", "mirai", "exploit", "shell", "aaaa", "as14061", "trojanclicker", "expl", "kr5a head", "abuse", "agent", "virgin islands", "as19905", "expiration date", "organization", "as4134 chinanet", "as4837 china", "type get", "as48447 sectigo", "united kingdom", "content type", "arial", "secure server", "as20940", "as2914 ntt", "as3257 gtt", "as2828 verizon", "general", ".mil", "brian sabey", "brian sabey" ], "references": [ "North American Aerospace Defense Command NORAD", "superanalbizflowforum.com | www.networksolutions.com", "http://superanalbizflowforum.com/tsara-lynn-brashears", "ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ", "https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak", "ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan", "Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e", "TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd", "Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b", "VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9", "Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability", "Malware Hosting: 162.43.116.132 | 183.181.98.116", "CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution", "CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'", "dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc", "Exploit source: 138.197.103.178", "https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812" ], "public": 1, "adversary": "IDK", "targeted_countries": [ "Japan", "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanSpy:Win32/Small", "display_name": "TrojanSpy:Win32/Small", "target": "/malware/TrojanSpy:Win32/Small" }, { "id": "Trojan:Win32/Cenjonsla.D!bit", "display_name": "Trojan:Win32/Cenjonsla.D!bit", "target": "/malware/Trojan:Win32/Cenjonsla.D!bit" }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 467, "domain": 1213, "hostname": 773, "FileHash-SHA256": 1513, "FileHash-MD5": 887, "FileHash-SHA1": 729, "CVE": 4, "email": 10, "SSLCertFingerprint": 5 }, "indicator_count": 5601, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ", "dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc", "compromised_site_redirector_fromcharcode fromCharCode", "https://tria.ge/240802-w2gz4azcpc/behavioral1", "Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability", "VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "http://superanalbizflowforum.com/tsara-lynn-brashears", "Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e", "TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.virustotal.com/graph/embed/g9ce2c9fcce4e40cd86c9dad48fafd8a4b2295f789a8c47c5bab33543389ec78d?theme=dark", "Exploit source: 138.197.103.178", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/summary", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "https://dnstwist.it/#d4ef489c-8d0c-4b09-81da-1ec3a95a9687", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Malware Hosting: 162.43.116.132 | 183.181.98.116", "Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812", "North American Aerospace Defense Command NORAD", "superanalbizflowforum.com | www.networksolutions.com", "ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "https://www.amii.ca/about/", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/iocs", "CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/graph", "Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b", "CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "https://www.virustotal.com/graph/embed/g731708921ce14aa8bbffb548afa0d3485ede2d0513b24395a238c28c12bf540b?theme=dark", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "IDK" ], "malware_families": [ "Trojan:win32/cenjonsla.d!bit", "Trojanspy:win32/small", "Upackv037dwing", "Cryp_xed-12", "Trojan:win32/smokeloader", "Alf:heraklezeval:rogue:win32/fakerean", "Mal/generic-s", "Trojanspy:win32/nivdort", "Virtool:win32/injector.gen!bq", "Worm:win32/macoute.a", "Elf:mirai-gh\\ [trj]", "Worm:win32/fesber.a", "Trojandownloader:win32/nemucod", "Tofsee", "Ransom:win32/eniqma.a" ], "industries": [ "", "Technology", "Education" ], "unique_indicators": 22939 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/amii.ca", "whois": "http://whois.domaintools.com/amii.ca", "domain": "amii.ca", "hostname": "www.amii.ca" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "590 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ad229b8d28f906a37991f2", "name": "amii[.]ca", "description": "Compromised: one of Canada\u2019s three centres of AI excellence as part of the Pan-Canadian AI Strategy\n\nImpact in Business\nWe\u2019ve invested in advanced AI research for decades. Now, we\u2019re here to steer your company to the best path forward to adopt these breakthroughs.\n\nWe partner with companies of all sizes, across industries, to drive innovation strategy and provide practical guidance and advice, corporate training and talent recruitment services. The true potential of AI is unlocked when you build internal capabilities, and that\u2019s where we excel.", "modified": "2024-10-15T14:49:05.330000", "created": "2024-08-02T18:16:59.312000", "tags": [ "UAlberta" ], "references": [ "https://www.virustotal.com/graph/embed/g9ce2c9fcce4e40cd86c9dad48fafd8a4b2295f789a8c47c5bab33543389ec78d?theme=dark", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/summary", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/iocs", "https://www.virustotal.com/gui/collection/73bb2abd79733bc142df5a8f1d501741b63d79459a3ba76f987dd79515fd9e51/graph", "https://tria.ge/240802-w2gz4azcpc/behavioral1", "https://www.virustotal.com/graph/embed/g731708921ce14aa8bbffb548afa0d3485ede2d0513b24395a238c28c12bf540b?theme=dark", "https://dnstwist.it/#d4ef489c-8d0c-4b09-81da-1ec3a95a9687", "https://www.amii.ca/about/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3731, "hostname": 1735, "URL": 2090, "FileHash-MD5": 95, "FileHash-SHA1": 95, "FileHash-SHA256": 1818, "CVE": 54 }, "indicator_count": 9618, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c9bb42dd32d415f9aaa06c", "name": "Botnet exchange | NORAD Tracking | Mirai | Injection | Spyware | Remote executions", "description": "North American Aerospace Defense Command NORAD - http://superanalbizflowforum.com/tsara-lynn-brashears (really?)\nwww.norad.mil , www.northcom.mil, dodcio.defense.gov, www.defense.gov\nwww.dodig.mil, www.foia.gov , prhome.defense.gov\n, www.ourmilitary.com, www.noradsanta.org , www.web.dma.mil \nIt's hard to tell or believe military and DoD conduct business this way. I tend to think scam abuse. Exception: target, escorted by security to appt in a DHS secured b,dg. She was then told to leave after receptionist received a call stating target was a threat. Entire floor was secured off. TB beyond upset w/ my carelessness of veteran & other comments. Targets Father, brother uncles, cousins, all served honorably w/some now terminally affected &mothers passed on from Camp Lejeune related complications. Father, an engineer & veteran worked on AEGIS weapons system test team for 3 now potentially decommissioned military Destroyers. \nI apologize prefusly for comment, MIL involvement was prevalent; it remains cloudy.", "modified": "2024-09-23T09:03:54.724000", "created": "2024-08-24T10:51:46.907000", "tags": [ "server", "whois lookup", "domain name", "llc sponsoring", "registrar iana", "referral url", "tsara brashears", "referrer", "porn", "networks", "botnet campaign", "pyinstaller", "apple", "password", "cybercrime", "it consultant", "metro", "skynet", "analyzer paste", "iocs", "hostnames", "urls http", "cyber threat", "cnc server", "ibm xforce", "exchange", "covid19", "tracker", "exchange botnet", "command", "control server", "keybase", "citadel", "stealer", "zeus", "radamant", "kovter", "zbot", "suppobox", "simda", "virut", "kraken", "amonetize", "msil", "phishing", "malicious", "feodo", "united", "germany unknown", "as133775 xiamen", "unknown", "china unknown", "passive dns", "domain", "search", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware site", "malicious site", "malware", "malicious url", "files domain", "files related", "related tags", "none md5", "as35908 krypt", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "status", "record value", "all scoreblue", "meta", "trend today", "link", "japan unknown", "script urls", "script script", "name servers", "script domains", "accept", "encrypt", "gmt content", "gmt etag", "ipv4", "url analysis", "pragma", "scan endpoints", "pulse submit", "urls", "body", "date", "hostname", "pulse pulses", "react app", "verizon feed", "bq aug", "typeof e", "object", "wds socket", "error", "path max", "path", "cookie", "suspicious", "virtool", "info", "trace", "moved", "aaaa nxdomain", "files", "a domains", "as9371 sakura", "service", "servers", "xml title", "dnssec", "showing", "next", "xserver", "title", "file", "type texthtml", "sha256", "read c", "write c", "kryptik", "tls sni", "style ssl", "cert", "amazon profile", "show", "cobaltstrike", "trojan", "copy", "write", "win32", "persistence", "execution", "media", "autorun", "delete c", "trojanspy", "entries", "bytes", "jpeg image", "ole control", "menu", "dock zone", "delphi", "dcom", "form", "canvas", "nxdomain", "ds nxdomain", "mirai variant", "useragent", "hello", "apache", "world", "inbound", "outbound", "hackingtrio ua", "activity mirai", "http traffic", "malware beacon", "mirai", "exploit", "shell", "aaaa", "as14061", "trojanclicker", "expl", "kr5a head", "abuse", "agent", "virgin islands", "as19905", "expiration date", "organization", "as4134 chinanet", "as4837 china", "type get", "as48447 sectigo", "united kingdom", "content type", "arial", "secure server", "as20940", "as2914 ntt", "as3257 gtt", "as2828 verizon", "general", ".mil", "brian sabey", "brian sabey" ], "references": [ "North American Aerospace Defense Command NORAD", "superanalbizflowforum.com | www.networksolutions.com", "http://superanalbizflowforum.com/tsara-lynn-brashears", "ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ", "https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak", "ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan", "Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e", "TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd", "Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b", "VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9", "Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability", "Malware Hosting: 162.43.116.132 | 183.181.98.116", "CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution", "CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'", "dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc", "Exploit source: 138.197.103.178", "https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812" ], "public": 1, "adversary": "IDK", "targeted_countries": [ "Japan", "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanSpy:Win32/Small", "display_name": "TrojanSpy:Win32/Small", "target": "/malware/TrojanSpy:Win32/Small" }, { "id": "Trojan:Win32/Cenjonsla.D!bit", "display_name": "Trojan:Win32/Cenjonsla.D!bit", "target": "/malware/Trojan:Win32/Cenjonsla.D!bit" }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 467, "domain": 1213, "hostname": 773, "FileHash-SHA256": 1513, "FileHash-MD5": 887, "FileHash-SHA1": 729, "CVE": 4, "email": 10, "SSLCertFingerprint": 5 }, "indicator_count": 5601, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.amii.ca/industry-solutions/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.amii.ca/industry-solutions/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780289685.550921 }