{ "type": "URL", "indicator": "https://www.appelfarm.org/xmlrpc.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.appelfarm.org/xmlrpc.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3113654628, "indicator": "https://www.appelfarm.org/xmlrpc.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "692e131f210ea9c656748c0c", "name": "iOS Exploits \u2022\u2019 Cutwail Botnet - Telef\u00f3nica, S.A.", "description": "Cutwail Botnet has a long history as a spambot. Sends malicious communications, may take system root. Cyber criminals.\n\n[OTX auto populated - Adversaries may be able to gain access to a victim's network by browsing a website over the normal course of browsing, but only if the victim is aware of the target's location and settings.]", "modified": "2025-12-31T21:02:25", "created": "2025-12-01T22:13:50.416000", "tags": [ "canada canada", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "mitre att", "ck techniques", "contacted hosts", "ip address", "unknown", "tls handshake", "failure", "forbidden", "msie", "windows nt", "tlsv1", "search", "show", "copy", "write", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2784, "hostname": 2271, "URL": 6612, "FileHash-SHA256": 956, "FileHash-MD5": 102, "FileHash-SHA1": 100, "SSLCertFingerprint": 10 }, "indicator_count": 12835, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e13386db2fdd32faf8999", "name": "iOS Exploits \u2022\u2019 Cutwail Botnet - Telef\u00f3nica, S.A.", "description": "Cutwail Botnet has a long history as a spambot. Sends malicious communications, may take system root. Cyber criminals.\n\n[OTX auto populated - Adversaries may be able to gain access to a victim's network by browsing a website over the normal course of browsing, but only if the victim is aware of the target's location and settings.]", "modified": "2025-12-31T21:02:25", "created": "2025-12-01T22:14:16.628000", "tags": [ "canada canada", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "mitre att", "ck techniques", "contacted hosts", "ip address", "unknown", "tls handshake", "failure", "forbidden", "msie", "windows nt", "tlsv1", "search", "show", "copy", "write", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2784, "hostname": 2271, "URL": 6612, "FileHash-SHA256": 956, "FileHash-MD5": 102, "FileHash-SHA1": 100, "SSLCertFingerprint": 10 }, "indicator_count": 12835, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691e462d095c8c8f397c358a", "name": "Searchjstg - Music Industry Relationship to malicious attacks", "description": "Britney Spears link found in a threat report re: attack on a monitored target. \nReport dated 5/2024. I did research the link and included results related to : https://www.neurotoxininstitute.com/ , Foundry , Apple Music , Operation Endgame , Sony etc. I need to research further pinpoint Lazarus connection. Related malicious files were found that need to be isolated. \n\nTarget has been affected by Lazarus group for a number of years. Target, an independent a songwriter & publisher catalogs were mostly deleted, sold, chopped. Videos, views . Spotify and all other media outlets targets music samples were showcased have been ravaged including views in the millions gone. At some point all of her traffic was routed to .GA (Africa) audiences only. Most of targets customer service for all things as also routed to South Africa. \n\nThere is also a Pegasus relationship.", "modified": "2025-12-19T21:00:48.726000", "created": "2025-11-19T22:35:25.095000", "tags": [ "related pulses", "active related", "families", "virtool att", "ck ids", "t1140", "t1204", "user execution", "t1060", "run keys", "startup", "hr description", "active", "sony", "added active", "win32spigot", "spigot", "searchjstg", "sucuri", "url http", "url https", "cve cve20178977", "cve cve20140322", "type indicator", "britney spears", "official", "skip", "tiktok youtube", "spotify apple", "join", "newsletter", "subscribe", "britney", "rights reserved", "service", "matthew pynhas", "grs limited", "domain admin", "digital privacy", "wolfgang reile", "clyde murphy", "dmitry urin", "artem zahvatkin", "aleksey silakov", "mmi online", "cloud", "email add", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "united", "command decode", "suricata ipv4", "pcap frame", "suricata udpv4", "belgium belgium", "localappdata", "domain address", "contacted hosts", "strings", "show process", "programfiles", "mitre att", "show technique", "ck matrix", "href", "username", "userprofile", "sha1", "comspec", "model", "iframe", "general", "path", "ipv4", "dynamicloader", "msie", "windows nt", "unknown", "write c", "tls handshake", "failure", "tlsv1", "forbidden", "encrypt", "xserver", "copy", "write", "trojan", "malware", "julia", "carr", "next", "temple", "show", "entries", "medium", "search", "et trojan", "possible", "host sinkhole", "cookie value", "delete", "ids detections", "bifrose", "win32", "high", "crlf line", "document file", "v2 document", "yara rule", "sniffs", "guard" ], "references": [ "https://britneyspears.com/", "https://www.neurotoxininstitute.com/", "https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/ \u2022 http://devicefoundry.net/", "devicefoundry.net\t \u2022 feastfoundry.com \u2022 www.feastfoundry.com", "https://hello.engine.com/api/mailings \u2022 hello.engine.com", "Interesting Strings: https://music.apple.com/us/album/lazarus/1676286487?i=1676286742 | Hash Below", "FileHash - SHA255 7fca73cfc0844b72faab7bfcdac031505a5ee337987130f5ac2a40e1ff28cf81" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Poland", "United Kingdom of Great Britain and Northern Ireland", "T\u00fcrkiye", "Malaysia", "Canada", "Finland", "Germany", "Russian Federation", "Ireland", "France", "Jordan", "Australia" ], "malware_families": [ { "id": "Win32/Spigot", "display_name": "Win32/Spigot", "target": null }, { "id": "VirTool:Win32/VBInject.gen!CF", "display_name": "VirTool:Win32/VBInject.gen!CF", "target": "/malware/VirTool:Win32/VBInject.gen!CF" }, { "id": "Searchjstg", "display_name": "Searchjstg", "target": null }, { "id": "Backdoor:Win32/Bifrose", "display_name": "Backdoor:Win32/Bifrose", "target": "/malware/Backdoor:Win32/Bifrose" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 424, "domain": 374, "hostname": 167, "FileHash-SHA256": 175, "email": 2, "FileHash-MD5": 222, "FileHash-SHA1": 145, "CVE": 7, "SSLCertFingerprint": 36 }, "indicator_count": 1552, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691e2279ac1ef8b9dbfbc2b3", "name": "Mirai \u2022 Neurotox Institute", "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]", "modified": "2025-12-19T19:00:18.927000", "created": "2025-11-19T20:03:05.195000", "tags": [ "united", "link", "virtool", "meta", "atom", "pragma", "dynamicloader", "msie", "windows nt", "tls handshake", "failure", "tlsv1", "forbidden", "ogoogle trust", "encrypt", "possible", "write", "malware", "consumed", "netherlands", "united kingdom", "read c", "sality", "delphi", "win32", "strings", "xserver", "post http", "post method", "cryptexportkey", "ocloudflare", "cryptgenkey", "calgrc4", "persistence", "execution", "div div", "script script", "span a", "a li", "unknown ns", "span", "april", "passive dns", "hosting", "reverse dns", "hostname add", "files ip", "asn as32475", "address domain", "mirai", "united states", "facebook", "twitter", "youtube", "ck ids", "mh may", "t1204 technique", "user execution", "suggested", "port", "destination", "telnet login", "high", "tcp syn", "infectednight", "resolverror", "suspicious path", "ids detections", "yara detections", "sinkhole cookie", "file score", "detections sf", "value snkz", "forbidden tls", "et trojan", "value", "et info", "et", "present oct", "domain", "title", "present sep", "moved", "server", "next associated", "ipv4 add", "urls", "files", "trojan", "cookie", "predict70 sep", "next http", "scans record", "forbidden date", "gmt content", "type", "unix", "namecheap url", "forward elf", "md5 add", "less see", "contacted", "pulse pulses", "av detections", "analysis date", "virus", "ee fc", "unknown", "yara rule", "ff d5", "search", "show", "suspicious", "fbq object", "ide value", "source level", "url text", "line", "allow attribute", "mootools", "class function", "chain", "options", "elements", "garbage", "drag", "xhr function", "ajax", "itemid14", "kb image", "kb script", "b image", "b stylesheet", "b script", "kb stylesheet", "stylesheet", "redirect chain", "path size", "type mimetype", "resource", "general full", "montreal", "canada", "asn16276", "debian", "url http", "hash", "main", "cookie object", "dns any", "date", "entries", "url https", "Foundry", "Lazarus", "Endgame", "Neurotoxin Institute", "Hall Render", "Brian Sabey", "UC Health", "Britney Spears Official" ], "references": [ "https://www.neurotoxininstitute.com/", "Backdoor.Win32.Pushdo.s Checkin", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks", "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure", "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole", "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward", "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed", "http://appelfarm.org", "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52", "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52", "IDS Signatures : SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206", "Interesting Strings : 13.79.87.163", "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png", "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5", "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa", "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8", "https://britneyspears.com/", "hallrender.com \u2022 https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com", "https://citrix.hallrender.com/vpn/install/ \u2022 https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://elite.hallrender.com \u2022 https://hallrender.com/attorney/gregg-m-wallander/", "brian-sabey-anyxxxtube.net \u2022 hallrender.com", "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com", "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14", "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America", "Japan", "France", "Germany", "Canada", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "New Zealand", "Italy", "Aruba", "Poland", "Singapore", "T\u00fcrkiye", "Indonesia", "Spain", "Hong Kong" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Netherlands", "display_name": "Netherlands", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Virus:Win32/Krepper.30760", "display_name": "Virus:Win32/Krepper.30760", "target": "/malware/Virus:Win32/Krepper.30760" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "target": null }, { "id": "Suggested", "display_name": "Suggested", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "target": null }, { "id": "Win32:Zbot-RUV", "display_name": "Win32:Zbot-RUV", "target": null }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Kryptik", "display_name": "Win32:Kryptik", "target": null }, { "id": "Trojan:Win32/Bulta", "display_name": "Trojan:Win32/Bulta", "target": "/malware/Trojan:Win32/Bulta" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 511, "hostname": 198, "domain": 471, "FileHash-SHA256": 1442, "FileHash-MD5": 183, "FileHash-SHA1": 79, "email": 5, "SSLCertFingerprint": 63 }, "indicator_count": 2952, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7fc464f9f56ac33a389", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:32.030000", "created": "2023-12-06T16:57:32.030000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7e7daf278491d9f9eb4", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:11.228000", "created": "2023-12-06T16:57:11.228000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652044fb2f28d46e91d29160", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "Packed. Miscellaneous Attacks. Hidden Users \nTarget: tsara brashears", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-06T17:33:47.403000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65204565ac1e8bce4de26df3", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "Packed. Miscellaneous Attacks. Hidden Users \nTarget: tsara brashears", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-06T17:35:33.618000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1df9a7da086561b9897f", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-30T03:07:37.963000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": "65204565ac1e8bce4de26df3", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks", "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure", "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/", "Research and Data Analysis", "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52", "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa", "devicefoundry.net\t \u2022 feastfoundry.com \u2022 www.feastfoundry.com", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8", "brian-sabey-anyxxxtube.net \u2022 hallrender.com", "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com", "https://britneyspears.com/", "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png", "https://hello.engine.com/api/mailings \u2022 hello.engine.com", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5", "Interesting Strings : 13.79.87.163", "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14", "https://www.neurotoxininstitute.com/", "Interesting Strings: https://music.apple.com/us/album/lazarus/1676286487?i=1676286742 | Hash Below", "FileHash - SHA255 7fca73cfc0844b72faab7bfcdac031505a5ee337987130f5ac2a40e1ff28cf81", "https://citrix.hallrender.com/vpn/install/ \u2022 https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52", "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward", "Backdoor.Win32.Pushdo.s Checkin", "http://appelfarm.org", "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole", "IDS Signatures : SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206", "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8", "hallrender.com \u2022 https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com", "https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/ \u2022 http://devicefoundry.net/", "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed", "https://elite.hallrender.com \u2022 https://hallrender.com/attorney/gregg-m-wallander/", "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Tulach", "Lazarus" ], "malware_families": [ "Win32/spigot", "Netherlands", "Virtool:win32/vbinject.gen!cf", "Trojandownloader:win32/cutwail", "Virtool:win32/vbinject.gen!mh", "Alf:heraklezeval:backdoor:linux/mirai.a!rf", "Sality", "Backdoor:win32/bifrose", "Virus:win32/krepper.30760", "Softcnapp", "Suggested", "Alf:rpf:peattr_sigattr:predict:70", "Win32:kryptik", "Trojan:win32/bulta", "Mirai", "Et", "Win32:zbot-ruv", "Searchjstg", "Win32:evo-gen" ], "industries": [], "unique_indicators": 38848 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/appelfarm.org", "whois": "http://whois.domaintools.com/appelfarm.org", "domain": "appelfarm.org", "hostname": "www.appelfarm.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "692e131f210ea9c656748c0c", "name": "iOS Exploits \u2022\u2019 Cutwail Botnet - Telef\u00f3nica, S.A.", "description": "Cutwail Botnet has a long history as a spambot. Sends malicious communications, may take system root. Cyber criminals.\n\n[OTX auto populated - Adversaries may be able to gain access to a victim's network by browsing a website over the normal course of browsing, but only if the victim is aware of the target's location and settings.]", "modified": "2025-12-31T21:02:25", "created": "2025-12-01T22:13:50.416000", "tags": [ "canada canada", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "mitre att", "ck techniques", "contacted hosts", "ip address", "unknown", "tls handshake", "failure", "forbidden", "msie", "windows nt", "tlsv1", "search", "show", "copy", "write", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2784, "hostname": 2271, "URL": 6612, "FileHash-SHA256": 956, "FileHash-MD5": 102, "FileHash-SHA1": 100, "SSLCertFingerprint": 10 }, "indicator_count": 12835, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e13386db2fdd32faf8999", "name": "iOS Exploits \u2022\u2019 Cutwail Botnet - Telef\u00f3nica, S.A.", "description": "Cutwail Botnet has a long history as a spambot. Sends malicious communications, may take system root. Cyber criminals.\n\n[OTX auto populated - Adversaries may be able to gain access to a victim's network by browsing a website over the normal course of browsing, but only if the victim is aware of the target's location and settings.]", "modified": "2025-12-31T21:02:25", "created": "2025-12-01T22:14:16.628000", "tags": [ "canada canada", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "mitre att", "ck techniques", "contacted hosts", "ip address", "unknown", "tls handshake", "failure", "forbidden", "msie", "windows nt", "tlsv1", "search", "show", "copy", "write", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2784, "hostname": 2271, "URL": 6612, "FileHash-SHA256": 956, "FileHash-MD5": 102, "FileHash-SHA1": 100, "SSLCertFingerprint": 10 }, "indicator_count": 12835, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691e462d095c8c8f397c358a", "name": "Searchjstg - Music Industry Relationship to malicious attacks", "description": "Britney Spears link found in a threat report re: attack on a monitored target. \nReport dated 5/2024. I did research the link and included results related to : https://www.neurotoxininstitute.com/ , Foundry , Apple Music , Operation Endgame , Sony etc. I need to research further pinpoint Lazarus connection. Related malicious files were found that need to be isolated. \n\nTarget has been affected by Lazarus group for a number of years. Target, an independent a songwriter & publisher catalogs were mostly deleted, sold, chopped. Videos, views . Spotify and all other media outlets targets music samples were showcased have been ravaged including views in the millions gone. At some point all of her traffic was routed to .GA (Africa) audiences only. Most of targets customer service for all things as also routed to South Africa. \n\nThere is also a Pegasus relationship.", "modified": "2025-12-19T21:00:48.726000", "created": "2025-11-19T22:35:25.095000", "tags": [ "related pulses", "active related", "families", "virtool att", "ck ids", "t1140", "t1204", "user execution", "t1060", "run keys", "startup", "hr description", "active", "sony", "added active", "win32spigot", "spigot", "searchjstg", "sucuri", "url http", "url https", "cve cve20178977", "cve cve20140322", "type indicator", "britney spears", "official", "skip", "tiktok youtube", "spotify apple", "join", "newsletter", "subscribe", "britney", "rights reserved", "service", "matthew pynhas", "grs limited", "domain admin", "digital privacy", "wolfgang reile", "clyde murphy", "dmitry urin", "artem zahvatkin", "aleksey silakov", "mmi online", "cloud", "email add", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "united", "command decode", "suricata ipv4", "pcap frame", "suricata udpv4", "belgium belgium", "localappdata", "domain address", "contacted hosts", "strings", "show process", "programfiles", "mitre att", "show technique", "ck matrix", "href", "username", "userprofile", "sha1", "comspec", "model", "iframe", "general", "path", "ipv4", "dynamicloader", "msie", "windows nt", "unknown", "write c", "tls handshake", "failure", "tlsv1", "forbidden", "encrypt", "xserver", "copy", "write", "trojan", "malware", "julia", "carr", "next", "temple", "show", "entries", "medium", "search", "et trojan", "possible", "host sinkhole", "cookie value", "delete", "ids detections", "bifrose", "win32", "high", "crlf line", "document file", "v2 document", "yara rule", "sniffs", "guard" ], "references": [ "https://britneyspears.com/", "https://www.neurotoxininstitute.com/", "https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/ \u2022 http://devicefoundry.net/", "devicefoundry.net\t \u2022 feastfoundry.com \u2022 www.feastfoundry.com", "https://hello.engine.com/api/mailings \u2022 hello.engine.com", "Interesting Strings: https://music.apple.com/us/album/lazarus/1676286487?i=1676286742 | Hash Below", "FileHash - SHA255 7fca73cfc0844b72faab7bfcdac031505a5ee337987130f5ac2a40e1ff28cf81" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Poland", "United Kingdom of Great Britain and Northern Ireland", "T\u00fcrkiye", "Malaysia", "Canada", "Finland", "Germany", "Russian Federation", "Ireland", "France", "Jordan", "Australia" ], "malware_families": [ { "id": "Win32/Spigot", "display_name": "Win32/Spigot", "target": null }, { "id": "VirTool:Win32/VBInject.gen!CF", "display_name": "VirTool:Win32/VBInject.gen!CF", "target": "/malware/VirTool:Win32/VBInject.gen!CF" }, { "id": "Searchjstg", "display_name": "Searchjstg", "target": null }, { "id": "Backdoor:Win32/Bifrose", "display_name": "Backdoor:Win32/Bifrose", "target": "/malware/Backdoor:Win32/Bifrose" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 424, "domain": 374, "hostname": 167, "FileHash-SHA256": 175, "email": 2, "FileHash-MD5": 222, "FileHash-SHA1": 145, "CVE": 7, "SSLCertFingerprint": 36 }, "indicator_count": 1552, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691e2279ac1ef8b9dbfbc2b3", "name": "Mirai \u2022 Neurotox Institute", "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]", "modified": "2025-12-19T19:00:18.927000", "created": "2025-11-19T20:03:05.195000", "tags": [ "united", "link", "virtool", "meta", "atom", "pragma", "dynamicloader", "msie", "windows nt", "tls handshake", "failure", "tlsv1", "forbidden", "ogoogle trust", "encrypt", "possible", "write", "malware", "consumed", "netherlands", "united kingdom", "read c", "sality", "delphi", "win32", "strings", "xserver", "post http", "post method", "cryptexportkey", "ocloudflare", "cryptgenkey", "calgrc4", "persistence", "execution", "div div", "script script", "span a", "a li", "unknown ns", "span", "april", "passive dns", "hosting", "reverse dns", "hostname add", "files ip", "asn as32475", "address domain", "mirai", "united states", "facebook", "twitter", "youtube", "ck ids", "mh may", "t1204 technique", "user execution", "suggested", "port", "destination", "telnet login", "high", "tcp syn", "infectednight", "resolverror", "suspicious path", "ids detections", "yara detections", "sinkhole cookie", "file score", "detections sf", "value snkz", "forbidden tls", "et trojan", "value", "et info", "et", "present oct", "domain", "title", "present sep", "moved", "server", "next associated", "ipv4 add", "urls", "files", "trojan", "cookie", "predict70 sep", "next http", "scans record", "forbidden date", "gmt content", "type", "unix", "namecheap url", "forward elf", "md5 add", "less see", "contacted", "pulse pulses", "av detections", "analysis date", "virus", "ee fc", "unknown", "yara rule", "ff d5", "search", "show", "suspicious", "fbq object", "ide value", "source level", "url text", "line", "allow attribute", "mootools", "class function", "chain", "options", "elements", "garbage", "drag", "xhr function", "ajax", "itemid14", "kb image", "kb script", "b image", "b stylesheet", "b script", "kb stylesheet", "stylesheet", "redirect chain", "path size", "type mimetype", "resource", "general full", "montreal", "canada", "asn16276", "debian", "url http", "hash", "main", "cookie object", "dns any", "date", "entries", "url https", "Foundry", "Lazarus", "Endgame", "Neurotoxin Institute", "Hall Render", "Brian Sabey", "UC Health", "Britney Spears Official" ], "references": [ "https://www.neurotoxininstitute.com/", "Backdoor.Win32.Pushdo.s Checkin", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks", "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure", "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole", "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward", "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed", "http://appelfarm.org", "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52", "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52", "IDS Signatures : SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206", "Interesting Strings : 13.79.87.163", "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png", "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5", "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa", "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8", "https://britneyspears.com/", "hallrender.com \u2022 https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com", "https://citrix.hallrender.com/vpn/install/ \u2022 https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://elite.hallrender.com \u2022 https://hallrender.com/attorney/gregg-m-wallander/", "brian-sabey-anyxxxtube.net \u2022 hallrender.com", "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com", "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14", "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America", "Japan", "France", "Germany", "Canada", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "New Zealand", "Italy", "Aruba", "Poland", "Singapore", "T\u00fcrkiye", "Indonesia", "Spain", "Hong Kong" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Netherlands", "display_name": "Netherlands", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Virus:Win32/Krepper.30760", "display_name": "Virus:Win32/Krepper.30760", "target": "/malware/Virus:Win32/Krepper.30760" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf", "target": null }, { "id": "Suggested", "display_name": "Suggested", "target": null }, { "id": "VirTool:Win32/VBInject.gen!MH", "display_name": "VirTool:Win32/VBInject.gen!MH", "target": "/malware/VirTool:Win32/VBInject.gen!MH" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70", "target": null }, { "id": "Win32:Zbot-RUV", "display_name": "Win32:Zbot-RUV", "target": null }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Kryptik", "display_name": "Win32:Kryptik", "target": null }, { "id": "Trojan:Win32/Bulta", "display_name": "Trojan:Win32/Bulta", "target": "/malware/Trojan:Win32/Bulta" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 511, "hostname": 198, "domain": 471, "FileHash-SHA256": 1442, "FileHash-MD5": 183, "FileHash-SHA1": 79, "email": 5, "SSLCertFingerprint": 63 }, "indicator_count": 2952, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7fc464f9f56ac33a389", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:32.030000", "created": "2023-12-06T16:57:32.030000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7e7daf278491d9f9eb4", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:11.228000", "created": "2023-12-06T16:57:11.228000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652044fb2f28d46e91d29160", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "Packed. Miscellaneous Attacks. Hidden Users \nTarget: tsara brashears", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-06T17:33:47.403000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65204565ac1e8bce4de26df3", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "Packed. Miscellaneous Attacks. Hidden Users \nTarget: tsara brashears", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-06T17:35:33.618000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1df9a7da086561b9897f", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-30T03:07:37.963000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": "65204565ac1e8bce4de26df3", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.appelfarm.org/xmlrpc.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.appelfarm.org/xmlrpc.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776645610.8957393 }