{ "type": "URL", "indicator": "https://www.oa.obic.co.jp/solution/cloud/cloudservice.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.oa.obic.co.jp/solution/cloud/cloudservice.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4158756264, "indicator": "https://www.oa.obic.co.jp/solution/cloud/cloudservice.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69434bae6aa51aea5cbe4686", "name": "Malicious Entertainment Licensing Scheme attacked independent artists", "description": "Unique entertainment scheme that seemed to have either intentionally usurped the copyrights of artists accepted for music licensing deals. It\u2019s possible company was attacked. Is connected to a target. Several entities related to this music licensing company were attacked by Pegasus and Lazarus Group including Sony music. Christopher P.\u2019Buzz\u2019 Ahmann is related to the attacks. Unfortunately a Colorado IT company that lists individuals related to hacked studio as an employee has been cyber stalking target. The licensing company is unavailable online. \nInteresting mafia relationships. \nOTX auto populated - AFFixmusic.com is an unregistered domain name with an address address of 166.109.7, the same address as GoDaddy.Com.co.org, which is also known as Godaddy.{", "modified": "2026-01-17T00:03:29.023000", "created": "2025-12-18T00:32:46.567000", "tags": [ "united", "as44273 host", "unknown xn", "title style", "f2f2f2 color", "helvetica neue", "twitter", "ipv4", "hosting", "helvetica arial", "united states", "verdict", "files ip", "name servers", "west domains", "as autonomous", "system", "cloudflar", "cisco", "umbrella rank", "unknown", "present dec", "nxdomain", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "godaddycomllc", "linux x8664", "khtml", "gecko", "cloudflarenet", "veryhigh", "americachicago", "conflict", "sameorigin", "cloudflare", "please", "text content", "ray id", "utc dns", "what happened", "thank", "cloudflare ray", "click", "performance", "general full", "resource", "name value", "url http", "server", "asn398787", "type mimetype", "uni idc", "passive dns", "urls", "hostname add", "url analysis", "files", "domain", "october", "divi object", "waypoint object", "reverse dns", "software", "asn26496", "resource hash", "security", "main", "google", "page url", "address as", "as26496", "screenshot page", "title affix", "music", "music licensing", "made easy", "history http", "found", "title", "extraction", "lte all", "search otx", "enter", "data upload", "enter source", "url data", "bad request", "next associated", "facebook url", "google url", "new releases", "music url", "kyle troop", "marsna design", "whitelisted", "status", "ip address", "search", "aaaa nxdomain", "present jan", "trojan", "pegasus", "location united", "as20773 host", "singapore", "asnone country", "netherlands", "germany", "as21499 host", "temple", "pulse submit", "date", "lte pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "lte c", "additionally", "url or", "text type", "expiration", "url https", "no expiration", "hostname", "iocs", "pulse show", "type indicator", "text drag", "drop or", "create c", "read c", "delete", "write", "medium", "create", "show", "rgba", "next", "dock", "execution", "malware", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "sha1", "network traffic", "show process", "hybrid", "general", "local", "path", "strings", "virus", "high", "dns query", "packing t1045", "pdb path", "pe resource", "win32", "present jun", "present mar", "a nxdomain", "present aug", "formpere", "msie", "windows nt", "entries", "defender", "t1071", "chrome", "creation date", "expiration date", "body", "t1045", "copy", "filehashsha256", "showing", "mafia", "lombardi mafia", "gambino", "genovese crime family", "crime families", "john t sasha", "jeffrey reimer", "navy", "danica implants", "jon", "bonus", "silva" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "France", "Poland", "Sweden", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Belgium", "Japan", "Slovenia", "Spain", "Finland", "Hungary" ], "malware_families": [ { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "#LOWFI:HSTR:MSIL/Obfuscator", "display_name": "#LOWFI:HSTR:MSIL/Obfuscator", "target": null }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Win.Downloader.130721-1", "display_name": "Win.Downloader.130721-1", "target": null }, { "id": "Pegasus Family", "display_name": "Pegasus Family", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1172, "hostname": 1200, "URL": 2438, "email": 6, "FileHash-SHA256": 610, "FileHash-MD5": 490, "FileHash-SHA1": 463, "CIDR": 2, "SSLCertFingerprint": 3 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Name : iveins.de Service : connect", "hallplan.vm05.iveins.de", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "COINBASECARTEL" ], "malware_families": [ "!installcreatorpro_2_0", "Virtool:msil/covent", "Pegasus family", "Cve-2025-11727", "Exploit:js/cve-2014-0322", "#lowfi:hstr:msil/obfuscator.deepsea", "#lowfi:hstr:msil/obfuscator", "Win64:trojanx", "Msil:agent-dq\\ [trj]", "Virtool:msil/covent.a", "Trojan:win32/pynamer!rfn", "Win32:malware", "Kelihos", "Trojan:win32/tiggre!rfn", "Virus:win32/triusor.a", "Win.downloader.130721-1", "Tofsee" ], "industries": [ "Education" ], "unique_indicators": 16794 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/obic.co.jp", "whois": "http://whois.domaintools.com/obic.co.jp", "domain": "obic.co.jp", "hostname": "www.oa.obic.co.jp" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69434bae6aa51aea5cbe4686", "name": "Malicious Entertainment Licensing Scheme attacked independent artists", "description": "Unique entertainment scheme that seemed to have either intentionally usurped the copyrights of artists accepted for music licensing deals. It\u2019s possible company was attacked. Is connected to a target. Several entities related to this music licensing company were attacked by Pegasus and Lazarus Group including Sony music. Christopher P.\u2019Buzz\u2019 Ahmann is related to the attacks. Unfortunately a Colorado IT company that lists individuals related to hacked studio as an employee has been cyber stalking target. The licensing company is unavailable online. \nInteresting mafia relationships. \nOTX auto populated - AFFixmusic.com is an unregistered domain name with an address address of 166.109.7, the same address as GoDaddy.Com.co.org, which is also known as Godaddy.{", "modified": "2026-01-17T00:03:29.023000", "created": "2025-12-18T00:32:46.567000", "tags": [ "united", "as44273 host", "unknown xn", "title style", "f2f2f2 color", "helvetica neue", "twitter", "ipv4", "hosting", "helvetica arial", "united states", "verdict", "files ip", "name servers", "west domains", "as autonomous", "system", "cloudflar", "cisco", "umbrella rank", "unknown", "present dec", "nxdomain", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "godaddycomllc", "linux x8664", "khtml", "gecko", "cloudflarenet", "veryhigh", "americachicago", "conflict", "sameorigin", "cloudflare", "please", "text content", "ray id", "utc dns", "what happened", "thank", "cloudflare ray", "click", "performance", "general full", "resource", "name value", "url http", "server", "asn398787", "type mimetype", "uni idc", "passive dns", "urls", "hostname add", "url analysis", "files", "domain", "october", "divi object", "waypoint object", "reverse dns", "software", "asn26496", "resource hash", "security", "main", "google", "page url", "address as", "as26496", "screenshot page", "title affix", "music", "music licensing", "made easy", "history http", "found", "title", "extraction", "lte all", "search otx", "enter", "data upload", "enter source", "url data", "bad request", "next associated", "facebook url", "google url", "new releases", "music url", "kyle troop", "marsna design", "whitelisted", "status", "ip address", "search", "aaaa nxdomain", "present jan", "trojan", "pegasus", "location united", "as20773 host", "singapore", "asnone country", "netherlands", "germany", "as21499 host", "temple", "pulse submit", "date", "lte pulse", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "lte c", "additionally", "url or", "text type", "expiration", "url https", "no expiration", "hostname", "iocs", "pulse show", "type indicator", "text drag", "drop or", "create c", "read c", "delete", "write", "medium", "create", "show", "rgba", "next", "dock", "execution", "malware", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "sha1", "network traffic", "show process", "hybrid", "general", "local", "path", "strings", "virus", "high", "dns query", "packing t1045", "pdb path", "pe resource", "win32", "present jun", "present mar", "a nxdomain", "present aug", "formpere", "msie", "windows nt", "entries", "defender", "t1071", "chrome", "creation date", "expiration date", "body", "t1045", "copy", "filehashsha256", "showing", "mafia", "lombardi mafia", "gambino", "genovese crime family", "crime families", "john t sasha", "jeffrey reimer", "navy", "danica implants", "jon", "bonus", "silva" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "France", "Poland", "Sweden", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Belgium", "Japan", "Slovenia", "Spain", "Finland", "Hungary" ], "malware_families": [ { "id": "Virus:Win32/Triusor.A", "display_name": "Virus:Win32/Triusor.A", "target": "/malware/Virus:Win32/Triusor.A" }, { "id": "#LOWFI:HSTR:MSIL/Obfuscator", "display_name": "#LOWFI:HSTR:MSIL/Obfuscator", "target": null }, { "id": "!InstallCreatorPro_2_0", "display_name": "!InstallCreatorPro_2_0", "target": null }, { "id": "Win.Downloader.130721-1", "display_name": "Win.Downloader.130721-1", "target": null }, { "id": "Pegasus Family", "display_name": "Pegasus Family", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1172, "hostname": 1200, "URL": 2438, "email": 6, "FileHash-SHA256": 610, "FileHash-MD5": 490, "FileHash-SHA1": 463, "CIDR": 2, "SSLCertFingerprint": 3 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6935c92c5fc93fd873c6aa6d", "name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)", "description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727", "modified": "2026-01-06T18:04:02.620000", "created": "2025-12-07T18:36:28.055000", "tags": [ "memcommit", "read c", "t1082", "cryptexportkey", "invalid pointer", "write", "msil", "malware", "media", "autorun", "countries", "united", "america", "high defense", "evasion", "t1055", "ck technique", "technique id", "allocates", "potential code", "attempts", "threatintel", "dark web", "coinbasecartel", "ransomware", "osint", "tor", "data breach", "cinvestav", "ai generated", "ransomware leak", "page", "november", "investigacin y", "nacional", "mexican", "mexico", "present nov", "verdana", "td tr", "passive dns", "ip address", "urls", "aaaa", "present may", "present oct", "present jul", "virtool", "present sep", "present jun", "win32", "default", "unicode", "png image", "rgba", "high", "dock", "execution", "xport", "unknown", "data upload", "extraction", "will", "data", "name cloudflare", "hostmaster name", "org cloudflare", "townsend st", "city san", "us creation", "kelihos", "ipv4", "present dec", "files", "domain", "search", "hostname", "verdict", "location united", "asn as16625", "akamai", "urls show", "date checked", "url hostname", "server response", "google safe", "results nov", "present aug", "backdoor", "msie", "chrome", "trojan", "mtb aug", "worm", "cryp", "junkpoly", "twitter", "trojandropper", "title", "germany unknown", "ipv4 add", "pulse pulses", "hosting", "reverse dns", "cologne", "search engine", "gse compromised", "redacted for", "privacy admin", "privacy tech", "server", "organization", "street", "city", "stateprovince", "postal code", "country", "resolver domain", "cape sa", "virustot", "type pdf", "name", "lookups", "email abuse", "historical ssl", "certificates", "first", "graph summary", "cname", "address", "ip2location", "bogon ip", "admin", "network", "wifi password", "ssid", "demo", "details", "failed", "include review", "exclude sugges", "onlv", "x try", "find s", "typ url", "url data", "severity att", "module load", "icmp traffic", "dns query", "t1055 jseval", "windows nt", "port", "entries", "destination", "medium", "show", "pecompact", "june", "service", "next", "xserver", "encrypt", "t1129", "windows module", "dlls", "convention", "windows native" ], "references": [ "Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS", "Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "hallplan.vm05.iveins.de", "https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c", "Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx", "Name : iveins.de Service : connect", "https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com", "phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com", "https://otx.alienvault.com/indicator/cve/CVE-2025-11727" ], "public": 1, "adversary": "COINBASECARTEL", "targeted_countries": [ "United States of America", "Sweden", "Bangladesh", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "MSIL:Agent-DQ\\ [Trj]", "display_name": "MSIL:Agent-DQ\\ [Trj]", "target": null }, { "id": "VirTool:MSIL/Covent.A", "display_name": "VirTool:MSIL/Covent.A", "target": "/malware/VirTool:MSIL/Covent.A" }, { "id": "Trojan:Win32/Pynamer!rfn", "display_name": "Trojan:Win32/Pynamer!rfn", "target": "/malware/Trojan:Win32/Pynamer!rfn" }, { "id": "Win64:TrojanX", "display_name": "Win64:TrojanX", "target": null }, { "id": "VirTool:MSIL/Covent", "display_name": "VirTool:MSIL/Covent", "target": "/malware/VirTool:MSIL/Covent" }, { "id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea", "target": null }, { "id": "Win32:Malware", "display_name": "Win32:Malware", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "CVE-2025-11727", "display_name": "CVE-2025-11727", "target": null }, { "id": "Exploit:JS/CVE-2014-0322", "display_name": "Exploit:JS/CVE-2014-0322", "target": "/malware/Exploit:JS/CVE-2014-0322" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [ "Education" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 117, "FileHash-SHA256": 1746, "URL": 5018, "hostname": 1827, "domain": 1072, "CVE": 3, "email": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9938, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.oa.obic.co.jp/solution/cloud/cloudservice.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.oa.obic.co.jp/solution/cloud/cloudservice.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776636696.0307333 }