{ "type": "URL", "indicator": "https://www.mail.tudongvina.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.mail.tudongvina.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4129948827, "indicator": "https://www.mail.tudongvina.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa0a62f94a92b5168405c2", "name": "fedpaypal clone Q vashti", "description": "", "modified": "2026-03-06T06:39:27.872000", "created": "2026-03-05T22:57:38.559000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "68c5743593a4bcc81dd94b0b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1323, "URL": 4360, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13421, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5743593a4bcc81dd94b0b", "name": "Fed.PayPal.com - Ransom | Attacks via redirect", "description": "A monitored target, active on various payment platforms for business documented a malicious redirect event 1st seen in 2020. Follows pattern of multiple, critical and ongoing attacks beginning in 2013. In this instance target lost access to PayPal payments. If this is legal, it\u2019s been a grotesque grift. Target was financially and otherwise robbed.\n\n\n#trulymissed #paypal #advesaries #apple #twitter #backdoor #ransom #botnet #reptutationattack", "modified": "2025-10-13T13:27:11.277000", "created": "2025-09-13T13:40:05.671000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1321, "URL": 4356, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13415, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage.", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cypher", "Alf:heraklezeval:pws:win32/qqpass!rfn", "Win.malware.eclz-9953021-0", "Win.downloader.unruy-10026469-0", "Fakeav", "Toga!rfn", "Ransom:msil/genasom.i", "Backdoor:win32/tofsee.t", "Trojan:win32/floxif.e", "Spymax", "Tofsee", "Win.trojan.clicker-3506", "Malware", "Win.trojan.cycler-47", "Win.malware.midie-6847892-0", "Win.trojan.fraudpack", "Win32:banker", "Floxif", "Hybrid trojan spy and banker", "Win.dropper.unruy-9994363-0", "Worm:win32/autorun", "Win.dropper.tiggre-9845940-0", "Win.malware.remoteadmin-7056666-0", "Et", "Trojan:win32/kaicorn!rf", "Win.malware.sfwx-9853337-0", "Spynote", "Worm:win32/cambot!rfn", "Virtool:win32/obfuscator.ki", "#lowfi:suspicioussectionname", "Win.malware.urelas", "Pws:win32/qqpass.b!mtb", "Win32:malob-bx\\ [cryp]", "Win.malware.zusy", "Alf:hstr:trojandownloader:win32/purityscan.a!bit", "Win32:malware" ], "industries": [ "Legal", "Government", "Telecommunications", "Technology", "Education" ], "unique_indicators": 16234 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tudongvina.com", "whois": "http://whois.domaintools.com/tudongvina.com", "domain": "tudongvina.com", "hostname": "www.mail.tudongvina.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa0a62f94a92b5168405c2", "name": "fedpaypal clone Q vashti", "description": "", "modified": "2026-03-06T06:39:27.872000", "created": "2026-03-05T22:57:38.559000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "68c5743593a4bcc81dd94b0b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1323, "URL": 4360, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13421, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5743593a4bcc81dd94b0b", "name": "Fed.PayPal.com - Ransom | Attacks via redirect", "description": "A monitored target, active on various payment platforms for business documented a malicious redirect event 1st seen in 2020. Follows pattern of multiple, critical and ongoing attacks beginning in 2013. In this instance target lost access to PayPal payments. If this is legal, it\u2019s been a grotesque grift. Target was financially and otherwise robbed.\n\n\n#trulymissed #paypal #advesaries #apple #twitter #backdoor #ransom #botnet #reptutationattack", "modified": "2025-10-13T13:27:11.277000", "created": "2025-09-13T13:40:05.671000", "tags": [ "present sep", "virtool", "cryp", "win32", "ip address", "trojan", "ransom", "asn as54113", "passive dns", "msil", "united states", "dynamicloader", "qaeaav12", "high", "qbeipbdii", "write", "paypal", "medium", "search", "vmware", "floodfix", "malware", "united", "mtb apr", "hostname add", "write c", "read c", "yara detections", "upxoepplace", "next", "markus", "april", "ping", "meta http", "content", "gmt server", "th th", "443 ma2592000", "ipv4 add", "url analysis", "urls", "body", "title", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "status", "name servers", "set cookie", "script urls", "present feb", "cookie", "template", "present oct", "present jul", "present dec", "present jun", "next associated", "urls show", "date checked", "present apr", "url hostname", "united kingdom", "unknown ns", "servers", "great britain", "msr aug", "msr apr", "msr nov", "ite o", "server response", "script script", "files show", "date hash", "avast avg", "creation date", "lcid1033", "sminnotek", "spnvirtualbox", "bvvirtualbox", "present mar", "present nov", "exploit", "error", "server response", "google safe", "results sep", "backdoor", "certificate", "mtb sep", "next http", "scans show", "present may", "results jun", "results jan", "worm", "echo request", "sweep", "payload hello", "world", "ids detections", "cape", "viking", "philis", "et", "torop", "des moines", "contacted hosts", "content reputation", "sabey type", "tulach type", "rexx type", "foundry type", "fred scherr", "twitter", "apple", "monitored target", "financial theft", "psalms 27: 1 - 14" ], "references": [ "fed.paypal.com [redirect for monitored target \u2022 1st documented 2020- still active]", "nr-data.net \u2022 init.ess.apple.com\t\u2022 apple-id-ifind.com \u2022 https://apple-id-ifind.com/\t\u2022 apple-lostandfound.com", "https://www.speakup.it/magazines/places/new-york-city-on-a-budget-big-apple-little-money_2368", "https://login.apple-mac.banugoker.com/cgi-sys/defaultwebpage.cgi \u2022 lsupport-apple.com", "login.apple-mac.banugoker.com \u2022 www.apple-mac.banugoker.com \u2022 http://apple-mac.banugoker.com/", "https://apple-mac.banugoker.com/ \u2022 https://login.apple-mac.banugoker.com/", "http://45.159.189.105/bot/regex \u2022 https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com \u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.\u2022 com/ \u2022 https://www.csrc.gov.cn.lxcvc.com/", "https://lk-prod-webcol.laika.com.co/category/bog/cat/farmacia/collares-isabelinos/todos/todo-para-mascota/1", "https://twitter.com/PORNO_SEXYBABES \u2022 https://megapornfreehd.com/2025/04/360", "https://57d5.zhanyu66.com/com.slamyugllp.strangerrun.xc.apk/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:MalOb-BX\\ [Cryp]", "display_name": "Win32:MalOb-BX\\ [Cryp]", "target": null }, { "id": "Win.Trojan.Fraudpack", "display_name": "Win.Trojan.Fraudpack", "target": null }, { "id": "Fakeav", "display_name": "Fakeav", "target": null }, { "id": "Ransom:MSIL/Genasom.I", "display_name": "Ransom:MSIL/Genasom.I", "target": "/malware/Ransom:MSIL/Genasom.I" }, { "id": "Virtool:Win32/Obfuscator.KI", "display_name": "Virtool:Win32/Obfuscator.KI", "target": "/malware/Virtool:Win32/Obfuscator.KI" }, { "id": "Toga!rfn", "display_name": "Toga!rfn", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null }, { "id": "Floxif", "display_name": "Floxif", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Win.Trojan.Cycler-47", "display_name": "Win.Trojan.Cycler-47", "target": null }, { "id": "Win.Trojan.Clicker-3506", "display_name": "Win.Trojan.Clicker-3506", "target": null }, { "id": "Win.Downloader.Unruy-10026469-0", "display_name": "Win.Downloader.Unruy-10026469-0", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Malware.Urelas", "display_name": "Win.Malware.Urelas", "target": null }, { "id": "Win.Malware.Zusy", "display_name": "Win.Malware.Zusy", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/QQPass!rfn", "target": null }, { "id": "Win.Malware.Eclz-9953021-0", "display_name": "Win.Malware.Eclz-9953021-0", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "display_name": "ALF:HSTR:TrojanDownloader:Win32/PurityScan.A!bit", "target": null }, { "id": "Win.Dropper.Tiggre-9845940-0", "display_name": "Win.Dropper.Tiggre-9845940-0", "target": null }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Win.Malware.Sfwx-9853337-0", "display_name": "Win.Malware.Sfwx-9853337-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Trojan:Win32/Kaicorn!rf", "display_name": "Trojan:Win32/Kaicorn!rf", "target": "/malware/Trojan:Win32/Kaicorn!rf" }, { "id": "Win32:Banker", "display_name": "Win32:Banker", "target": null }, { "id": "Worm:Win32/Cambot!rfn", "display_name": "Worm:Win32/Cambot!rfn", "target": "/malware/Worm:Win32/Cambot!rfn" }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1321, "URL": 4356, "FileHash-MD5": 759, "FileHash-SHA1": 748, "FileHash-SHA256": 5148, "domain": 1076, "email": 7 }, "indicator_count": 13415, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.mail.tudongvina.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.mail.tudongvina.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780226708.9343362 }