{ "type": "URL", "indicator": "https://www.icloud.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.icloud.com", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #10", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain icloud.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain icloud.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2920183800, "indicator": "https://www.icloud.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69b0e9f202a2612fcd5f053a", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:49:01.446000", "created": "2026-03-11T04:05:06.832000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 7, "URL": 14, "hostname": 15, "domain": 4 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b0e9f14cbe0b5d40e6fb31", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:48:59.086000", "created": "2026-03-11T04:05:05.255000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 23, "domain": 7, "hostname": 46, "URL": 38 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "859 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6457f3e06dd7b18f4f6d1633", "name": "http://www.icloud.com - hybrid scan frm 2020", "description": "", "modified": "2023-05-07T18:54:24.168000", "created": "2023-05-07T18:54:24.168000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "runtime data", "windows nt", "size", "sha256", "threat level", "pcap", "pcap processing", "date", "format", "path", "info", "suspicious", "accept", "zafi", "gosh", "hybrid", "close", "click", "hosts", "general", "local", "strings", "team", "april", "qakbot" ], "references": [ "https://www.hybrid-analysis.com/sample/d3ffdf44916b01e14fceca04c3a3beb5fbad5aeea482e2242c5a843793073874/5f7570ba06837169aa62c689" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 229, "hostname": 78, "domain": 63, "FileHash-SHA256": 182, "email": 2, "IPv4": 15, "FileHash-MD5": 63, "FileHash-SHA1": 60 }, "indicator_count": 692, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1120 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6294ec64b4e171f3a7107138", "name": "www.icloud.com:%22,", "description": "", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T16:10:12.299000", "tags": [], "references": [ "www.icloud.com:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 140, "URL": 196, "domain": 48, "FileHash-SHA256": 241, "CIDR": 5, "FileHash-MD5": 6 }, "indicator_count": 636, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1433 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6230e7bca2874ea23dc359ad", "name": "icloud.com:calendar:eventreply:?.", "description": "", "modified": "2022-04-14T00:01:40.805000", "created": "2022-03-15T19:23:40.771000", "tags": [], "references": [ "icloud.com:calendar:eventreply:?.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 87, "hostname": 90, "URL": 52, "domain": 8, "CIDR": 1, "FileHash-MD5": 4, "FileHash-SHA1": 2 }, "indicator_count": 244, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "20.190.160.67 Microsoft [exploit_source]", "https://www.hybrid-analysis.com/sample/d3ffdf44916b01e14fceca04c3a3beb5fbad5aeea482e2242c5a843793073874/5f7570ba06837169aa62c689", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "Crowdsourced YARA Rulesets", "20.190.160.2 Microsoft [exploit_source]", "http://dns1.whitelist.camect.com [interesting]", "watson.telemetry.microsoft.us [Data traffic manager]", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "icloud.com:calendar:eventreply:?.pdf", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "www.icloud.com:%22,.pdf", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.events.data.microsoft.com [traffic manager]", "www.anyxxxtube.net [tracking]", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "http://www.screensaver.com/ruxitbeacon", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "https://www.jbits.courts.state.co [interesting]", "20.190.160.73 Microsoft [exploit_source]", "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "http://www.sos.state.co/ [interesting]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Apple", "Malware", "Tulach" ], "industries": [], "unique_indicators": 31694 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/icloud.com", "whois": "http://whois.domaintools.com/icloud.com", "domain": "icloud.com", "hostname": "www.icloud.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69b0e9f202a2612fcd5f053a", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:49:01.446000", "created": "2026-03-11T04:05:06.832000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 7, "URL": 14, "hostname": 15, "domain": 4 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b0e9f14cbe0b5d40e6fb31", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:48:59.086000", "created": "2026-03-11T04:05:05.255000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 23, "domain": 7, "hostname": 46, "URL": 38 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "859 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6457f3e06dd7b18f4f6d1633", "name": "http://www.icloud.com - hybrid scan frm 2020", "description": "", "modified": "2023-05-07T18:54:24.168000", "created": "2023-05-07T18:54:24.168000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "runtime data", "windows nt", "size", "sha256", "threat level", "pcap", "pcap processing", "date", "format", "path", "info", "suspicious", "accept", "zafi", "gosh", "hybrid", "close", "click", "hosts", "general", "local", "strings", "team", "april", "qakbot" ], "references": [ "https://www.hybrid-analysis.com/sample/d3ffdf44916b01e14fceca04c3a3beb5fbad5aeea482e2242c5a843793073874/5f7570ba06837169aa62c689" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 229, "hostname": 78, "domain": 63, "FileHash-SHA256": 182, "email": 2, "IPv4": 15, "FileHash-MD5": 63, "FileHash-SHA1": 60 }, "indicator_count": 692, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1120 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6294ec64b4e171f3a7107138", "name": "www.icloud.com:%22,", "description": "", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T16:10:12.299000", "tags": [], "references": [ "www.icloud.com:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 140, "URL": 196, "domain": 48, "FileHash-SHA256": 241, "CIDR": 5, "FileHash-MD5": 6 }, "indicator_count": 636, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1433 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6230e7bca2874ea23dc359ad", "name": "icloud.com:calendar:eventreply:?.", "description": "", "modified": "2022-04-14T00:01:40.805000", "created": "2022-03-15T19:23:40.771000", "tags": [], "references": [ "icloud.com:calendar:eventreply:?.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 87, "hostname": 90, "URL": 52, "domain": 8, "CIDR": 1, "FileHash-MD5": 4, "FileHash-SHA1": 2 }, "indicator_count": 244, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.icloud.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.icloud.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780294506.0037506 }