{ "type": "URL", "indicator": "https://www.googletagmanager.com/ns.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.googletagmanager.com/ns.html", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #187", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain googletagmanager.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain googletagmanager.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2730585259, "indicator": "https://www.googletagmanager.com/ns.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 23, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a19a9e96af10a628d3410f6", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:53.153000", "created": "2026-05-29T14:59:53.153000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a19a9e76f31858c39e74d24", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:51.891000", "created": "2026-05-29T14:59:51.891000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69af2add3f9282fe5344b55a", "name": "Google Search", "description": "Malicious.com and.net domains are part of the Tofsee and Arid Viper cyber-espionage infrastructure, according to a report published in the New York Times on Tuesday..", "modified": "2026-04-08T22:28:30.988000", "created": "2026-03-09T20:17:33.574000", "tags": [ "hostnames", "infrastructure", "payload", "library vector", "escalation", "plain text", "primary ip", "quincy", "ma yahoo", "proxy", "tofsee" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 153, "hostname": 81, "FileHash-MD5": 54, "FileHash-SHA1": 68, "FileHash-SHA256": 224, "URL": 80, "email": 4, "CIDR": 2 }, "indicator_count": 666, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "186 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ed5eca930bccd0aec22be", "name": "Foundry.matav.hu - Ransom & SpyVoltar", "description": "", "modified": "2025-09-02T02:05:01.867000", "created": "2025-08-03T03:22:20.760000", "tags": [ "meta", "status", "united", "song culture", "search", "link", "script script", "home page", "denver colorado", "ip address", "date", "encrypt", "body", "a domains", "bandzoogle", "work website", "builder", "passive dns", "trojanspy", "ransom", "win32heim feb", "entries", "next associated", "site", "server", "gmt contenttype", "twitter", "gandi sas", "hostname add", "pulse submit", "url analysis", "urls", "files", "domain", "all hostname", "verdict", "files ip", "address", "moved", "showing", "south korea", "error oct", "present oct", "present dec", "canada showing", "urls show", "date checked", "url hostname", "server response", "present jun", "present apr", "hungary", "present jan", "present jul", "present feb", "present nov", "present mar", "all ipv4", "reverse dns", "location canada", "montreal", "canada asn", "present aug", "name servers", "creation date", "expiration date", "show", "hostname", "data upload", "extraction", "autofill pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "defense evasion", "development att", "heart internet", "registrar", "extend", "http version", "get na", "sinkhole cookie", "module load", "t1129", "service", "create c", "malware", "copy", "possible", "write", "win32", "nivdort", "etpro trojan", "alphacrypt cnc", "beacon", "windows nt", "wow64", "touch", "medium", "gecko http", "read c", "unknown", "virustotal", "trojan", "mcafee", "vipre", "drweb", "panda", "next", "yara detections", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": "688ed51290c84cbaec011d53", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2131, "domain": 805, "FileHash-MD5": 269, "FileHash-SHA1": 158, "FileHash-SHA256": 1153, "hostname": 919, "email": 6 }, "indicator_count": 5441, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ed51290c84cbaec011d53", "name": "Indie Music Artists Website-Win32/SpyVoltar.A Checkin 2", "description": "* Music Artists Website-Win32/SpyVoltar.A Checkin 2 * ransom:Win32/Haperlock.A highjacked SongCulture.com and her Bank Account. Ongoing.\nVery malicious espionage. Had been running Tsars Brashears website after canceling her Bank account via hacking. A South African calle center Brashears was told did not exist were the call center for AllState , Esurance (Now NGIC?) and T-mobile. Have not paid her losses including daughter\u2019s stolen SUV!! \n#espionage #ransom", "modified": "2025-09-02T02:05:01.867000", "created": "2025-08-03T03:18:42.264000", "tags": [ "meta", "status", "united", "song culture", "search", "link", "script script", "home page", "denver colorado", "ip address", "date", "encrypt", "body", "a domains", "bandzoogle", "work website", "builder", "passive dns", "trojanspy", "ransom", "win32heim feb", "entries", "next associated", "site", "server", "gmt contenttype", "twitter", "gandi sas", "hostname add", "pulse submit", "url analysis", "urls", "files", "domain", "all hostname", "verdict", "files ip", "address", "moved", "showing", "south korea", "error oct", "present oct", "present dec", "canada showing", "urls show", "date checked", "url hostname", "server response", "present jun", "present apr", "hungary", "present jan", "present jul", "present feb", "present nov", "present mar", "all ipv4", "reverse dns", "location canada", "montreal", "canada asn", "present aug", "name servers", "creation date", "expiration date", "show", "hostname", "data upload", "extraction", "autofill pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "defense evasion", "development att", "heart internet", "registrar", "extend", "http version", "get na", "sinkhole cookie", "module load", "t1129", "service", "create c", "malware", "copy", "possible", "write", "win32", "nivdort", "etpro trojan", "alphacrypt cnc", "beacon", "windows nt", "wow64", "touch", "medium", "gecko http", "read c", "unknown", "virustotal", "trojan", "mcafee", "vipre", "drweb", "panda", "next", "yara detections", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2131, "domain": 805, "FileHash-MD5": 269, "FileHash-SHA1": 158, "FileHash-SHA256": 1153, "hostname": 919, "email": 6 }, "indicator_count": 5441, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b0fbceab364a2b84b1124", "name": "Busybox MIORI Hackers - ongoing Aurora , Medical Campus -Mirai [by scoreblue -Team 8]", "description": "", "modified": "2025-07-31T06:39:56.204000", "created": "2025-07-31T06:39:56.204000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "66fb3c4e8a2593134641f3c0", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "304 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fb3c4e8a2593134641f3c0", "name": "busybox MIORI Hackers - attack Aurora, Medical Campus -Mirai", "description": "*Tipped-Patient reports computers with fully locked screens log in every time she enters a room at UC Health Anshutz Campus. Unauthorized Login: http://ITSupport.UCHealth.org. Graphs deleted from Virus Total\u00bbLogin ID: 168.200.45.168 [bound]. I've tried to post pulse multiple times. IP's were contacted. Brute force attempts on my device. Anyway it's Tulach. There is a 'pro- ale' and other 'monitoring, silencing, dangerous groups' silencing crime victims, journalists, dissents, potential whistle blowers. One victim attacked physically losing health battle. Doctors unwilling to treat.Auto populated\u00bb The full text of the Mirai-TO malware, which was launched on Friday, has now been published on the website of www.forensickb.co.uk..com. hmmm...there was a counter attack.", "modified": "2024-10-30T22:04:06.705000", "created": "2024-10-01T00:03:26.199000", "tags": [ "idnischdr http", "computer", "america asn", "as7018 att", "url https", "america", "united states", "united", "germany", "italy", "trojan", "all scoreblue", "report spam", "created", "trojanspy", "worm", "trojanclicker", "virtool", "service", "all search", "author avatar", "miori hackers", "file score", "detections elf", "path", "busybox busybox", "brute force", "attack bad", "login yara", "detections", "sid name", "malware cve", "suspicious path", "busybox", "activity", "system", "malware beacon", "bad login", "attack", "port", "destination", "show", "search", "exif data", "property value", "elf info", "key value", "x86 baddr", "elf64 crypto", "final url", "ip address", "status code", "body", "kb body", "sha256", "server", "gmt connection", "date sun", "gmt contenttype", "filehashsha256", "crazy doll", "next", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "cus stcolorado", "info", "director", "orgtechhandle", "orgtechref", "university", "whois lookup", "netrange", "nethandle", "net168", "net1680000", "ucha", "network", "registry arin", "country us", "continent na", "meta", "script script", "lance mueller", "mueller", "unknown", "script urls", "photography", "passive dns", "urls", "model", "creation date", "hostname", "pulse submit", "url analysis", "files", "domain", "status", "http", "record value", "emails", "dnssec", "domain name", "backdoor", "bad request", "entries", "title style", "f2f2f2 color", "helvetica neue", "exploit", "browse scan", "endpoints all", "search otx", "related pulses", "file samples", "files matching", "as44273 host", "showing", "telper", "date hash", "copyright", "url http", "win64", "as53665 bodis", "aaaa", "as206834 team", "canada unknown", "read c", "create c", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "dock", "write", "execution", "copy", "xport", "1575038779", "medium", "capture", "malware", "february", "as61969 team", "servers", "domain robot", "expiration date", "as714 apple", "as42 woodynet", "nxdomain", "name servers", "a nxdomain", "ipv4", "found", "control", "content type", "as20940", "asnone united", "as701 verizon", "as2914 ntt", "win32", "certificate", "date", "dynamicloader", "high", "t1055", "attempts", "yara detections", "bitcoinaltcoin", "code injection", "high defense", "ip related", "pulses otx", "pulses", "overview domain", "files ip", "address domain", "related tags", "pulse pulses", "div div", "as49505", "span", "form", "as6185 apple", "china", "as4812 china", "as17816 china", "as4134 chinanet", "scan endpoints", "trojan features", "enigmaprotector", "dynamic", "powershell", "filehash", "for privacy", "ltd dba", "com laude", "cname", "cve20170147 sep", "verdict", "as63949 linode", "https", "as8075", "united kingdom", "whitelisted", "as25825", "moved", "aurora", "redacted for", "whois lookups", "orgid", "east", "seen", "update date", "cidr", "netname uch", "parent net168", "nettype direct", "contacted", "tulach", "brian sabey" ], "references": [ "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "ELF:Mirai-TO\\ [Trj] tulach.cc", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Yara Detections: is__elf", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Title The page title. Chieti Meteo - Webcam Abruzzo", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com" ], "public": 1, "adversary": "busybox MIORI Hackers", "targeted_countries": [ "United States of America", "Mexico" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Bulilit", "display_name": "TrojanDownloader:Win32/Bulilit", "target": "/malware/TrojanDownloader:Win32/Bulilit" }, { "id": "ELF:Mirai-TO\\ [Trj]", "display_name": "ELF:Mirai-TO\\ [Trj]", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TELPER:HSTR:DotCisOffer", "display_name": "TELPER:HSTR:DotCisOffer", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Backdoor:Win32/Bladabindi", "display_name": "Backdoor:Win32/Bladabindi", "target": "/malware/Backdoor:Win32/Bladabindi" }, { "id": "ALF:E5", "display_name": "ALF:E5", "target": null }, { "id": "Win.Malware.Midie-9950743-0", "display_name": "Win.Malware.Midie-9950743-0", "target": null }, { "id": "Trojan:Win32/Emotet.ARJ!MTB", "display_name": "Trojan:Win32/Emotet.ARJ!MTB", "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 459, "FileHash-MD5": 1228, "FileHash-SHA1": 1163, "FileHash-SHA256": 2243, "domain": 876, "hostname": 1088, "CIDR": 2, "email": 17, "CVE": 2, "SSLCertFingerprint": 5 }, "indicator_count": 7083, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "577 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e94760a415fb970ab2dfdd", "name": "Pornhub Api connected to Targets phone via Remote Telegram install", "description": "Cyber attack named 'Project Endgame' by threat actors || Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0", "modified": "2024-10-17T08:04:26.924000", "created": "2024-09-17T09:09:52.842000", "tags": [ "all scoreblue", "contacted", "telegram", "pornhub", "hostname", "domain", "iocs", "pdf report", "pcap", "stix", "openioc", "ck t1003", "os credential", "dumping t1005", "local system", "t1012", "registry t1018", "remote system", "discovery t1027", "files", "t1053", "whitelisted", "agent", "as13414 twitter", "as14061", "as15169 google", "as16552", "as16276", "as19679 dropbox", "as22612", "as25019", "as32934", "as35680", "as62597", "as54113", "as397241", "as397240", "nsone as63949", "as35819", "china unknown", "chrome", "code", "as16552 tiggee", "as2914 ntt", "as25019 saudi", "asnone hong", "as63949 linode", "as7303 telecom", "as8151", "as9318 sk", "asn as13414", "asn as48684", "cookie", "encrypt", "endgame", "emails", "cryp", "delphi", "dynamicloader", "dns", "grum", "germany unknown", "gmt max", "connection", "dns resolutions", "porn", "regsz", "langgeorgian", "sublangdefault", "rticon", "english", "regsetvalueexa", "regdword", "medium", "t1055", "win32", "malware", "copy", "updater", "generic", "delete c", "yara rule", "high", "search", "ms windows", "tofsee", "show", "windows", "russia as49505", "united", "grum", "write", "query", "contacted", "installs", "stream", "unknown", "as46606", "passive dns", "date", "scan endpoints", "pulse pulses", "urls", "as8151", "mexico unknown", "saudi arabia", "as25019 saudi", "china unknown", "as7303 telecom", "hungary unknown", "trojan", "msie", "body", "ransom", "icmp traffic", "pdb path", "filehash", "url http", "http", "address", "russia unknown", "privacy tools", "as396982 google", "as57416 llc", "div div", "span h3", "span div", "h3 p", "as24940 hetzner", "face", "delete", "yara detections", "sinkhole cookie", "value snkz", "pe32", "suspicious", "possible", "as56864 xeon", "ipv4", "pulse submit", "url analysis", "ip address", "location united", "next", "germany unknown", "method", "allowed server", "content length", "content type", "cookie", "registrar abuse", "explorer", "files matching", "homepage", "hungary unknown", "installs ip", "installs", "ip", "link", "mexico unknown", "pegasus", "operation endgame", "public key", "ransom", "twitter redirect", "Kong unknown", "script urls", "servers", "updater", "united kingdom unknown", "unique", "ukraine unknown", "trojan features", "trojan", "tofsee", "title telegram", "tags twitter", "twitter", "tags", "sublangdefault" ], "references": [ "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.pornhub.com/video/search?search=tsara+brashears", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "https://sslproxy.gatewayclient3.v.hikops.com", "api2ip.ua \u00bb External IP Lookup Service Domain", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil", "Singapore", "Netherlands", "Russian Federation", "Japan", "Malaysia", "Hong Kong", "Ireland", "Korea, Republic of", "France", "United Kingdom of Great Britain and Northern Ireland", "Argentina", "Austria", "China", "Canada", "Germany" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "TrojanDownloader:Win32/Tofsee", "display_name": "TrojanDownloader:Win32/Tofsee", "target": "/malware/TrojanDownloader:Win32/Tofsee" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Win.Dropper.Tofsee-10023347-0", "display_name": "Win.Dropper.Tofsee-10023347-0", "target": null }, { "id": "#Lowfi:HSTR:Win32/Exprio", "display_name": "#Lowfi:HSTR:Win32/Exprio", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Meredrop", "display_name": "Trojan:Win32/Meredrop", "target": "/malware/Trojan:Win32/Meredrop" }, { "id": "Trojan:Win32/Eqtonex", "display_name": "Trojan:Win32/Eqtonex", "target": "/malware/Trojan:Win32/Eqtonex" }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Trojan:Win32/Azorult", "display_name": "Trojan:Win32/Azorult", "target": "/malware/Trojan:Win32/Azorult" }, { "id": "ALF:Trojan:BAT/EnvVarCharReplacement", "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1570, "FileHash-SHA1": 1301, "FileHash-SHA256": 3497, "URL": 3835, "domain": 1475, "hostname": 2405, "CIDR": 1, "email": 23 }, "indicator_count": 14107, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cec16f4b510d325dc923a1", "name": "192.70.175.110 - ELF:Hajime-Q _ Mirai Botnet Malware", "description": "Private IP 192.70.175.110 | Reverse DNS\ndns1.state.co.us showed Mirai Bonet Malware. Under same IP address is an 'alleged' unknown REGRU-RU Passive DNS ns1.ns2.www.madunixxx.ru with a password compromise \u00bb PSW.Generic12.WIO. \nIt's unclear if a Frank Muccio Admin of Security Operations doesn't appear to work on premise in Colorado, There is a Frank Di Muccio SGT involved with RallyPoint, , described as a social group for military personal. Rally Point was seen in very early graphs featuring alleged Rallypoint Pornhub Devs, tied to Brian Sabey. I wasn't able to personally verify this employee in Colorado Possibly contracted OIT by state . The link was recently whitelisted.", "modified": "2024-09-27T03:03:09.340000", "created": "2024-08-28T06:19:27.154000", "tags": [ "as36081 state", "location united", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "mirai", "united states", "united", "ave suite", "purpose p5", "country united", "code us", "name security", "nexus category", "phone number", "postal code", "network", "number", "country us", "continent na", "algorithm", "data", "v3 serial", "cus oapple", "public ev", "server ecc", "g1 validity", "organization", "subject public", "rauschenberg", "apple computer", "applec1z", "mitre att", "evasion ta0005", "hashes", "msie", "windows nt", "wow64", "slcc2", "media center", "response", "request", "accept", "location https", "taiwan as3462", "south korea", "as4766 korea", "high", "japan as17676", "china as45090", "http", "search", "contacted", "malware", "copy", "as41231", "united kingdom", "status", "aaaa", "ddos", "whitelisted", "certificate", "moved", "trojan", "virtool", "encrypt", "software", "initial", "passive dns", "scan endpoints", "all scoreblue", "body", "a domains", "linux ubuntu", "creation date", "enterprise open", "ubuntu", "linux", "social", "window", "code", "ipv4", "urls", "files", "reverse dns", "trojan features", "file samples", "files matching", "date hash", "domain", "address", "name servers", "servers", "intel", "icmp traffic", "dead_host", "network_icmp", "osquery_detection", "nolookup_communication", "pulse pulses", "unknown", "as20940", "as15169 google", "dns show", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "province co", "error", "tr tr", "pulse submit", "url analysis", "hostname", "files ip", "asnone united", "ireland unknown", "brazil unknown", "next", "showing", "gmt content", "apache cache", "pragma", "record value", "trojanproxy", "win32", "title", "server", "alf features", "related pulses", "show", "ip address", "asn as16509", "china unknown", "hichina", "hong kong", "as133775 xiamen", "web server", "authentication", "tls web", "full name", "ca issuers", "as44273 host", "a nxdomain", "avast avg", "russia unknown", "germany unknown", "turkey unknown", "japan unknown", "as16276", "france unknown", "service", "ck ids", "t1082", "t1129", "modules", "t1045", "packing", "t1060", "run keys", "startup" ], "references": [ "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "Yara: Mirai_Botnet_Malware", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "Yara Detections Mirai_Botnet_Malware", "Detections Executable and linking format (ELF) file download Over HTTP", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "Detections Executable and linking format (ELF) file download Over HTTP", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College" ], "public": 1, "adversary": "Frank Di MuccioSGT", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "DDoS:Linux/Lightaidra", "display_name": "DDoS:Linux/Lightaidra", "target": "/malware/DDoS:Linux/Lightaidra" }, { "id": "Trojan:Win32/Skeeyah", "display_name": "Trojan:Win32/Skeeyah", "target": "/malware/Trojan:Win32/Skeeyah" }, { "id": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "display_name": "ALF:Trojan:Win32/FlyStudio.PA!MTB", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "PSW.Generic12.WIO", "display_name": "PSW.Generic12.WIO", "target": null }, { "id": "ELF:Hajime-Q", "display_name": "ELF:Hajime-Q", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Telecommunications", "Government", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1108, "hostname": 627, "domain": 628, "URL": 534, "FileHash-MD5": 377, "FileHash-SHA1": 373, "email": 12, "CIDR": 2, "SSLCertFingerprint": 2 }, "indicator_count": 3663, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1903bb12a0d4b524a0fb", "name": "HCA Healthcloid | Cellco\u00bb Adversary in the Middle | Swipper Verizon Block ", "description": "", "modified": "2024-09-18T18:16:35.396000", "created": "2024-09-18T18:16:35.396000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "619 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba9198fd69c93fabece38d", "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring", "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.", "modified": "2024-09-18T18:12:03.438000", "created": "2024-08-12T22:50:00.127000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb6092ed7d61b3a370d6cd", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:41:55.890000", "created": "2024-08-25T16:49:22.975000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 24, "CIDR": 8, "URL": 190, "hostname": 370, "FileHash-SHA256": 4319, "domain": 176, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9576, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d496e04d8fa0cc8d528941", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:25:51.199000", "created": "2024-09-01T16:31:28.909000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66cb6092ed7d61b3a370d6cd", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e24b157718e7ddf71765db", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:33.521000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e24b1cd80668c22e7e1c7a", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:40.078000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644", "Foundry stalking.", "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "www.techcult.com", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912", "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "IDS Detections Gh0stCringe CnC Activity M2", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "savethemalesdenver.com | brasville.com.br?", "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4", "Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com", "Detections Executable and linking format (ELF) file download Over HTTP", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 | ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:", "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016", "record-viewer-application.hcahealthcare.cloud", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "Yara: Mirai_Botnet_Malware", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Stack pivoting was detected when using a critical API", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com", "Alerts: cape_detected_threat", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3", "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "IDS Detections Zusy Variant CnC Checkin", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21", "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "83610e8d2924c9886b25ad530e8ad971.pornhub.com", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349", "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com", "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://sslproxy.gatewayclient3.v.hikops.com", "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg", "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom", "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "Tulach IP: 114.114.114.114", "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO", "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru", "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request", "Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "http://www.tabxexplorer.com/lenovo", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "Yara: Detections ConventionEngine_Term_Users", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox", "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru Created: Jun 19, 2016", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "api2ip.ua \u00bb External IP Lookup Service Domain", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin", "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)", "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Alerts: mouse_movement_detect", "ELF:Mirai-TO\\ [Trj] tulach.cc", "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "Yara Detections: is__elf", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName", "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive", "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "nr-data.net [Apple Private Data Collection]", "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]", "Title The page title. Chieti Meteo - Webcam Abruzzo", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "Yara Detections Mirai_Botnet_Malware", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net", "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca", "api.acumatica.flex.redteam.com", "dev-app.project-cicada.com \u2022 project-cicada.com", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://hs.ecam.com/your-challenges-ecams-solutions", "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "https://goo.gl/9p2vKq", "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login", "Yara : MS_Visual_Basic_6_0 ,", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc", "Yara Detections: SUSP_Imphash_Mar23_2", "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru", "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "Unix.Trojan.Mirai-6976991-0 FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]", "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a", "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Frank Di MuccioSGT", "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "busybox MIORI Hackers" ], "malware_families": [ "Trojan:win32/blackmon", "Alf:program:win32/webcompanion", "Trojan:win32/fakefolder", "#exploit:win32/cve- 2023 - 23397", "Elf:mirai-to\\ [trj]", "Alf:trojan:bat/envvarcharreplacement", "#lowfi:hstr:win32/exprio", "Telper:hstr:dotcisoffer", "Slf:win64/cobpipe", "Backdoor:win32/bladabindi", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojan:win32/emotet.arj!mtb", "Mirai", "Trojanspy:win32/nivdort", "Trojan:win32/meredrop", "Tulach malware", "Worm:win32/autorun", "Trojan:win32/vflooder.a", "Win.malware.generickdz-9982080-0", "!autoit_3_00_third_party", "Alf:heraklezeval:ransom:win32/cve", "Trojandownloader:win32/upatre.aa", "Doc.downloader.emotetred02220-9938909-0", "Win32:malob-bx", "Virtool:win32/obfuscator.k", "Win.trojan.gh0strat-9955419-1", "Win.trojan.agent", "Sova", "Win.malware.snojan-6775202-0", "Alf:trojan:win32/cassini_56a3061!ibt", "Cymt", "Botnet", "Pegasus", "Wannacry", "Darkcomet", "Trojan:win32/comisproc!gmb", "Et", "Trojandownloader:win32/cutwail.bs", "Ddos:linux/lightaidra", "Psw.generic12.wio", "Win.ransomware.msilzilla-10014498-0", "Elf:hajime-q", "Artro", "Ransom:win32/crowti.a", "Trojan:win32/skeeyah", "Win.dropper.tofsee-10023347-0", "Win.malware.autoit-7732194-0", "Win.trojan.tofsee-6840338-0", "Trojan:win32/zusy", "#virtool:win32/obfuscator.adb", "#lowfienabledtcontinueafterunpacking", "Trojandownloader:win32/tofsee", "Virtool:win32/obfuscator", "Trojan:win32/danabot", "#lowfi:hstr:autoititv3modguidmark", "Trojandropper:win32/muldrop.v!mtb", "Trojandownloader:win32/bulilit", "Backdoor:linux/mirai.b", "Win32:pwsx-gen\\ [trj]", "Foundry", "Alf:pulzati:worm:win32/mydoom", "Win.malware.midie-9950743-0", "Flooder", "Trojan:win32/azorult", "Trojan:win32/eqtonex", "Ransom:win32/stopcrypt.ak!mtb", "Alf:e5", "Trojandropper:win32/vb.il0", "Trojan.upatre/waski", "Backdoor:win32/tofsee", "Ransom:win32/wannaren.a", "Alf:trojan:win32/flystudio.pa!mtb", "Trojandropper:win32/vb.il", "Trojan:win32/antavmu" ], "industries": [ "Civilian society", "Healthcare", "Government", "Technology", "Telecommunications", "Networking", "Civil society" ], "unique_indicators": 145805 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/googletagmanager.com", "whois": "http://whois.domaintools.com/googletagmanager.com", "domain": "googletagmanager.com", "hostname": "www.googletagmanager.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 23, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a19a9e96af10a628d3410f6", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:53.153000", "created": "2026-05-29T14:59:53.153000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a19a9e76f31858c39e74d24", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:51.891000", "created": "2026-05-29T14:59:51.891000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69af2add3f9282fe5344b55a", "name": "Google Search", "description": "Malicious.com and.net domains are part of the Tofsee and Arid Viper cyber-espionage infrastructure, according to a report published in the New York Times on Tuesday..", "modified": "2026-04-08T22:28:30.988000", "created": "2026-03-09T20:17:33.574000", "tags": [ "hostnames", "infrastructure", "payload", "library vector", "escalation", "plain text", "primary ip", "quincy", "ma yahoo", "proxy", "tofsee" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 153, "hostname": 81, "FileHash-MD5": 54, "FileHash-SHA1": 68, "FileHash-SHA256": 224, "URL": 80, "email": 4, "CIDR": 2 }, "indicator_count": 666, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "186 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ed5eca930bccd0aec22be", "name": "Foundry.matav.hu - Ransom & SpyVoltar", "description": "", "modified": "2025-09-02T02:05:01.867000", "created": "2025-08-03T03:22:20.760000", "tags": [ "meta", "status", "united", "song culture", "search", "link", "script script", "home page", "denver colorado", "ip address", "date", "encrypt", "body", "a domains", "bandzoogle", "work website", "builder", "passive dns", "trojanspy", "ransom", "win32heim feb", "entries", "next associated", "site", "server", "gmt contenttype", "twitter", "gandi sas", "hostname add", "pulse submit", "url analysis", "urls", "files", "domain", "all hostname", "verdict", "files ip", "address", "moved", "showing", "south korea", "error oct", "present oct", "present dec", "canada showing", "urls show", "date checked", "url hostname", "server response", "present jun", "present apr", "hungary", "present jan", "present jul", "present feb", "present nov", "present mar", "all ipv4", "reverse dns", "location canada", "montreal", "canada asn", "present aug", "name servers", "creation date", "expiration date", "show", "hostname", "data upload", "extraction", "autofill pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "defense evasion", "development att", "heart internet", "registrar", "extend", "http version", "get na", "sinkhole cookie", "module load", "t1129", "service", "create c", "malware", "copy", "possible", "write", "win32", "nivdort", "etpro trojan", "alphacrypt cnc", "beacon", "windows nt", "wow64", "touch", "medium", "gecko http", "read c", "unknown", "virustotal", "trojan", "mcafee", "vipre", "drweb", "panda", "next", "yara detections", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": "688ed51290c84cbaec011d53", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2131, "domain": 805, "FileHash-MD5": 269, "FileHash-SHA1": 158, "FileHash-SHA256": 1153, "hostname": 919, "email": 6 }, "indicator_count": 5441, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.googletagmanager.com/ns.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "error": "Expecting value: line 1 column 1 (char 0)", "indicator": "https://www.googletagmanager.com/ns.html", "type": "URL" }, "from_cache": true, "_cached_at": 1780234307.7055094 }