{ "type": "URL", "indicator": "https://www.google.com/contact/For", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.google.com/contact/For", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4090388652, "indicator": "https://www.google.com/contact/For", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69bdecb269c9d6fad107de1f", "name": "Google - BOT Beacon | Ransomware present | Active phishing campaigns", "description": "", "modified": "2026-04-19T00:22:55.777000", "created": "2026-03-21T00:56:18.458000", "tags": [ "dynamicloader", "get na", "high", "request", "google", "write c", "explorer", "malware", "virus", "polyransom", "ransom", "phishing", "cnc", "virlock", "system impact", "encrypts user", "slows", "ransom", "4 detection", "removal modern", "kaspersky", "3 prevention", "tips", "modifies itself", "polymorphic ransomware", "encrypts files", "\"parasitic\" virus", "modifies existing files", "spreader", "google llc", "file Infection", "algorithm", "ouno sni", "key usage", "data", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "self-signed", "mitre att", "defense evasion", "ta0005", "software", "evasion", "artifacts v", "full reports", "v help", "dns resolutions", "traffic udp", "hashes", "trojan", "redirects", "ms windows", "pe32", "users", "medium", "yara rule", "cache", "search", "intel", "music", "write", "unknown", "virtool", "copy", "guard", "suspicious", "defender", "launch", "tracker", "media", "next" ], "references": [ "External Hosts: COUNTRY ASN 142.251.33.206\tgoogle.com |google.comUnited StatesAS15169 google llc", "IDS Detections: SUSPICIOUS Possible automated connectivity check (www.google.com)", "IDS Detections: Terse Unencrypted Request for Google - Likely Connectivity Check", "Yara Detections: UPX", "Alerts: antisandbox_sleep hardware_id_profiling physical_drive_access suspicious_iocontrol_codes", "Alerts: process_creation_suspicious_location infostealer_browser apc_injection persistence_autorun", "Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert antivm_bochs_keys", "Alerts: antivm_generic_disk deletes_executed_files disables_uac folder_enumeration", "Alerts: stealth_hidden_extension stealth_hiddenreg suspicious_command", "142.250.147.101 \u2022 142.251.33.206 command_and_control", "http://142.251.33.206/ phishing", "http://www.forensickb.com/2013/03/file-entropy-explained.html phishing", "invalid2.invalid 4259517cd4e48a289d332ab3f0ab52a366322824", "System Impact: Once active, it typically: Encrypts user data and locks the screen.", "System Impact: Slows down system performance.", "System Impact: Attempts to spread to network shares and cloud storage", "Ransom Demands: Like other ransomware, it demands payment (often in cryptocurrency) to restore access to files or the system.", "Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Matches rule MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon", "Matches rule ET MALWARE Win32/Ramnit Checkin Unique rule identifier: This rule belongs to a private collection." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1044", "name": "File System Permissions Weakness", "display_name": "T1044 - File System Permissions Weakness" }, { "id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "display_name": "T1222.001 - Windows File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "URL": 431, "FileHash-MD5": 123, "FileHash-SHA1": 33, "FileHash-SHA256": 478, "domain": 141, "hostname": 199, "email": 1, "CIDR": 1 }, "indicator_count": 1421, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b7d96dfe022e3e33d347a2", "name": "CAPE Sandbox - \"undefined\"", "description": "", "modified": "2026-04-15T10:12:27.063000", "created": "2026-03-16T10:20:29.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "domain": 24, "hostname": 112, "URL": 161, "CIDR": 9, "email": 2 }, "indicator_count": 328, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b786ef253f307468ab0d63", "name": "Project", "description": "Pulses, also known as Pulse.org, are being used to track users' activity on the internet and send emails to a website owned by GoDaddy.com, the company that owns the domain. <-- pretext not my thoughts but interesting and not my take though infra I suspect is targeted for geofencing and other abuse. researchers remain vigilint on infra", "modified": "2026-04-15T04:08:56.830000", "created": "2026-03-16T04:28:31.032000", "tags": [ "united", "unknown", "as54113", "date", "aaaa", "status", "cname", "as44273 host", "moved", "passive dns", "title", "body", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 350, "FileHash-SHA1": 5, "domain": 501, "hostname": 1851, "email": 7, "CIDR": 6, "FileHash-SHA256": 8, "CVE": 1, "FileHash-MD5": 2 }, "indicator_count": 2731, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cea40e81330ef580bf3e01", "name": "Passwords are for Treehouses", "description": "<..Here is the full text of the letter that was signed bySymantec in the US on the day of 12-29 December 2012. and here is a full set of letters and numbers.>", "modified": "2026-04-03T02:21:21.260000", "created": "2026-04-02T17:14:54.123000", "tags": [ "a domains", "script urls", "script domains", "a new", "golden era", "date", "status", "moved", "travel", "pan am", "meta", "title", "body", "symantec time", "stamping", "signer", "g4 issuer", "g2 valid", "from", "algorithm", "thumbprint", "serial number", "cf f4", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "key identifier", "x509v3 subject", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "aaaa", "cname" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "FileHash-MD5": 7, "FileHash-SHA1": 35, "IPv4": 31, "domain": 117, "hostname": 104, "email": 5, "FileHash-SHA256": 216, "IPv6": 1, "CIDR": 3 }, "indicator_count": 607, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68733dcc6607d3b83a885a3c", "name": "Banker affects an Denver Newspaper Domain | Malicious IP: 142.251.215.232", "description": "142.251.215.232 - Malware Hosting IP ( Including Denver Post) Running web server, resolved domain l Win32:Banker-LAA\\ [Trj] ||\tWin.Malware.Snojan-6775202-0 | #malware_infection #banker #malware", "modified": "2025-08-12T04:00:40.547000", "created": "2025-07-13T05:02:04.007000", "tags": [ "msie", "windows nt", "wow64", "slcc2", "media center", "united", "whitelisted", "search", "show", "read c", "next", "execution", "dock", "write", "persistence", "malware", "copy", "unknown", "win32", "trojan", "mtb apr", "ransom", "trojandropper", "win32qqpass apr", "passive dns", "entries", "lowfi", "worm", "date", "google llc", "algorithm", "ouno sni", "key usage", "please", "google team", "data", "v3 serial", "number", "public key", "info", "alerts", "reads", "read", "delete", "write c", "filehash", "push" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 136, "FileHash-SHA256": 621, "SSLCertFingerprint": 8, "URL": 64, "domain": 20, "hostname": 78, "CIDR": 1, "email": 3, "CVE": 1 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Yara Detections: UPX", "Alerts: stealth_hidden_extension stealth_hiddenreg suspicious_command", "System Impact: Attempts to spread to network shares and cloud storage", "Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert antivm_bochs_keys", "Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Matches rule ET MALWARE Win32/Ramnit Checkin Unique rule identifier: This rule belongs to a private collection.", "Matches rule MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon", "142.250.147.101 \u2022 142.251.33.206 command_and_control", "Ransom Demands: Like other ransomware, it demands payment (often in cryptocurrency) to restore access to files or the system.", "Alerts: process_creation_suspicious_location infostealer_browser apc_injection persistence_autorun", "Alerts: antisandbox_sleep hardware_id_profiling physical_drive_access suspicious_iocontrol_codes", "invalid2.invalid 4259517cd4e48a289d332ab3f0ab52a366322824", "System Impact: Once active, it typically: Encrypts user data and locks the screen.", "External Hosts: COUNTRY ASN 142.251.33.206\tgoogle.com |google.comUnited StatesAS15169 google llc", "http://www.forensickb.com/2013/03/file-entropy-explained.html phishing", "Alerts: antivm_generic_disk deletes_executed_files disables_uac folder_enumeration", "IDS Detections: SUSPICIOUS Possible automated connectivity check (www.google.com)", "System Impact: Slows down system performance.", "http://142.251.33.206/ phishing", "IDS Detections: Terse Unencrypted Request for Google - Likely Connectivity Check" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.virus.polyransom-5704625-0", "Other malware" ], "industries": [], "unique_indicators": 13589 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "www.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69bdecb269c9d6fad107de1f", "name": "Google - BOT Beacon | Ransomware present | Active phishing campaigns", "description": "", "modified": "2026-04-19T00:22:55.777000", "created": "2026-03-21T00:56:18.458000", "tags": [ "dynamicloader", "get na", "high", "request", "google", "write c", "explorer", "malware", "virus", "polyransom", "ransom", "phishing", "cnc", "virlock", "system impact", "encrypts user", "slows", "ransom", "4 detection", "removal modern", "kaspersky", "3 prevention", "tips", "modifies itself", "polymorphic ransomware", "encrypts files", "\"parasitic\" virus", "modifies existing files", "spreader", "google llc", "file Infection", "algorithm", "ouno sni", "key usage", "data", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "self-signed", "mitre att", "defense evasion", "ta0005", "software", "evasion", "artifacts v", "full reports", "v help", "dns resolutions", "traffic udp", "hashes", "trojan", "redirects", "ms windows", "pe32", "users", "medium", "yara rule", "cache", "search", "intel", "music", "write", "unknown", "virtool", "copy", "guard", "suspicious", "defender", "launch", "tracker", "media", "next" ], "references": [ "External Hosts: COUNTRY ASN 142.251.33.206\tgoogle.com |google.comUnited StatesAS15169 google llc", "IDS Detections: SUSPICIOUS Possible automated connectivity check (www.google.com)", "IDS Detections: Terse Unencrypted Request for Google - Likely Connectivity Check", "Yara Detections: UPX", "Alerts: antisandbox_sleep hardware_id_profiling physical_drive_access suspicious_iocontrol_codes", "Alerts: process_creation_suspicious_location infostealer_browser apc_injection persistence_autorun", "Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert antivm_bochs_keys", "Alerts: antivm_generic_disk deletes_executed_files disables_uac folder_enumeration", "Alerts: stealth_hidden_extension stealth_hiddenreg suspicious_command", "142.250.147.101 \u2022 142.251.33.206 command_and_control", "http://142.251.33.206/ phishing", "http://www.forensickb.com/2013/03/file-entropy-explained.html phishing", "invalid2.invalid 4259517cd4e48a289d332ab3f0ab52a366322824", "System Impact: Once active, it typically: Encrypts user data and locks the screen.", "System Impact: Slows down system performance.", "System Impact: Attempts to spread to network shares and cloud storage", "Ransom Demands: Like other ransomware, it demands payment (often in cryptocurrency) to restore access to files or the system.", "Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Matches rule MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon", "Matches rule ET MALWARE Win32/Ramnit Checkin Unique rule identifier: This rule belongs to a private collection." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1044", "name": "File System Permissions Weakness", "display_name": "T1044 - File System Permissions Weakness" }, { "id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "display_name": "T1222.001 - Windows File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 14, "URL": 431, "FileHash-MD5": 123, "FileHash-SHA1": 33, "FileHash-SHA256": 478, "domain": 141, "hostname": 199, "email": 1, "CIDR": 1 }, "indicator_count": 1421, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b7d96dfe022e3e33d347a2", "name": "CAPE Sandbox - \"undefined\"", "description": "", "modified": "2026-04-15T10:12:27.063000", "created": "2026-03-16T10:20:29.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "domain": 24, "hostname": 112, "URL": 161, "CIDR": 9, "email": 2 }, "indicator_count": 328, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b786ef253f307468ab0d63", "name": "Project", "description": "Pulses, also known as Pulse.org, are being used to track users' activity on the internet and send emails to a website owned by GoDaddy.com, the company that owns the domain. <-- pretext not my thoughts but interesting and not my take though infra I suspect is targeted for geofencing and other abuse. researchers remain vigilint on infra", "modified": "2026-04-15T04:08:56.830000", "created": "2026-03-16T04:28:31.032000", "tags": [ "united", "unknown", "as54113", "date", "aaaa", "status", "cname", "as44273 host", "moved", "passive dns", "title", "body", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 350, "FileHash-SHA1": 5, "domain": 501, "hostname": 1851, "email": 7, "CIDR": 6, "FileHash-SHA256": 8, "CVE": 1, "FileHash-MD5": 2 }, "indicator_count": 2731, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cea40e81330ef580bf3e01", "name": "Passwords are for Treehouses", "description": "<..Here is the full text of the letter that was signed bySymantec in the US on the day of 12-29 December 2012. and here is a full set of letters and numbers.>", "modified": "2026-04-03T02:21:21.260000", "created": "2026-04-02T17:14:54.123000", "tags": [ "a domains", "script urls", "script domains", "a new", "golden era", "date", "status", "moved", "travel", "pan am", "meta", "title", "body", "symantec time", "stamping", "signer", "g4 issuer", "g2 valid", "from", "algorithm", "thumbprint", "serial number", "cf f4", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "key identifier", "x509v3 subject", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "aaaa", "cname" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "FileHash-MD5": 7, "FileHash-SHA1": 35, "IPv4": 31, "domain": 117, "hostname": 104, "email": 5, "FileHash-SHA256": 216, "IPv6": 1, "CIDR": 3 }, "indicator_count": 607, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68733dcc6607d3b83a885a3c", "name": "Banker affects an Denver Newspaper Domain | Malicious IP: 142.251.215.232", "description": "142.251.215.232 - Malware Hosting IP ( Including Denver Post) Running web server, resolved domain l Win32:Banker-LAA\\ [Trj] ||\tWin.Malware.Snojan-6775202-0 | #malware_infection #banker #malware", "modified": "2025-08-12T04:00:40.547000", "created": "2025-07-13T05:02:04.007000", "tags": [ "msie", "windows nt", "wow64", "slcc2", "media center", "united", "whitelisted", "search", "show", "read c", "next", "execution", "dock", "write", "persistence", "malware", "copy", "unknown", "win32", "trojan", "mtb apr", "ransom", "trojandropper", "win32qqpass apr", "passive dns", "entries", "lowfi", "worm", "date", "google llc", "algorithm", "ouno sni", "key usage", "please", "google team", "data", "v3 serial", "number", "public key", "info", "alerts", "reads", "read", "delete", "write c", "filehash", "push" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 136, "FileHash-SHA256": 621, "SSLCertFingerprint": 8, "URL": 64, "domain": 20, "hostname": 78, "CIDR": 1, "email": 3, "CVE": 1 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.google.com/contact/For", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.google.com/contact/For", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776591901.532967 }