{ "type": "URL", "indicator": "https://www.pegasus.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.pegasus.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4342186363, "indicator": "https://www.pegasus.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0050a164795207832b4331", "name": "*Dormant Destruction* VirusTotal report for index.html", "description": "This threat intelligence pulse tracks a long-dormant wiper, dating back to the early 2000s, which has persisted across multiple environments undetected. The malware features sophisticated, \"hidden\" destructive mechanisms capable of widespread data wiping. It appears to leverage administrative-level access, allowing it to move laterally and compromise systems extensively. Continued inaction regarding this infection chain poses a critical risk to data integrity. The ONLY way to fix this as it has taken over the root is by addressing the problem for what it actually is, the math and drops do not lie, deletion and new certs/exp certs will fail. The science is clear, the answer is foggy. Its best to see clearly.", "modified": "2026-05-12T06:40:06.849000", "created": "2026-05-10T09:32:17.372000", "tags": [ "mitre attack", "network info", "processes extra", "meta", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "system process", "sigma", "united", "federation", "file type", "yara", "creates", "pe32", "intel", "malicious", "persistence", "window", "default", "cname", "inprocserver32", "shell folders", "parent pid", "full path", "command line", "accept", "windows nt", "win64", "payload", "shutdown", "tofsee", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "sha256", "back", "windows sandbox", "calls process", "kb body", "civicplus", "network admin", "net192", "net1920000", "icone2", "llc orgid", "houston", "suite e", "city", "ks postalcode", "orgtechhandle", "orgtechref", "houston address", "e city", "address range", "cidr", "network name", "type", "status", "whois server", "entity icone2", "handle", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cus cnrapidssl", "rsa ca", "odigicert inc", "subject public", "key info", "thumbprint", "entity", "rdap database", "iana registrar", "host name", "links", "v3 serial", "cus olet", "encrypt cne8", "validity", "key algorithm", "ec oid", "value a", "please", "javascript", "ascii", "json", "openpgp secret", "extra info", "spawns", "layer protocol", "attack network", "allocated pa", "date", "ripe", "alphen", "rijn", "urls", "suricata ids", "smtp", "poland", "france", "germany", "canada", "japan", "slovakia", "toggle", "msie", "post", "wpaddetectedurl", "settingswpad", "wpaddhcp", "wpaddns", "dynamicloader", "static analysis", "first", "path", "enterprise", "service", "close", "zenbox android", "info", "pdf document", "adobe portable", "document format", "sha1", "bootkit", "loads" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 773, "URI": 5, "FileHash-MD5": 200, "FileHash-SHA1": 197, "IPv4": 304, "URL": 461, "domain": 319, "hostname": 315, "CIDR": 8, "email": 9, "Mutex": 1, "CVE": 62 }, "indicator_count": 2654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a905451e3304319988b", "name": ".may 4 clone own on may 5", "description": "", "modified": "2026-05-07T02:57:38.229000", "created": "2026-05-05T05:05:20.493000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f7fa1a282840a6e0aa370c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3143, "hostname": 2037, "IPv4": 186, "URL": 3288, "CIDR": 12, "email": 43, "domain": 1645, "URI": 1, "SSLCertFingerprint": 18, "CVE": 1 }, "indicator_count": 11083, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f7fa1a282840a6e0aa370c", "name": "May the 4th be with... every destructed file that never died", "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.", "modified": "2026-05-05T05:04:02.911000", "created": "2026-05-04T01:44:57.811000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3142, "hostname": 1890, "IPv4": 162, "URL": 3241, "CIDR": 12, "email": 37, "domain": 1616, "URI": 1, "SSLCertFingerprint": 18 }, "indicator_count": 10828, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage.", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Spynote", "Cypher", "Hybrid trojan spy and banker", "Spymax" ], "industries": [ "Education", "Technology", "Government", "Legal", "Telecommunications" ], "unique_indicators": 11042 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pegasus.com", "whois": "http://whois.domaintools.com/pegasus.com", "domain": "pegasus.com", "hostname": "www.pegasus.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6a03fda1f49694a8a727a708", "name": "REvil, Sodinokibi & Prophet Chakras", "description": "REvil / Sodinokibi and CVE-2018-8543 which affects remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka \"Chakra Scripting Engine Memory Corruption Vulnerability.\" This affects Microsoft Edge, ChakraCore. [NIST] Sodinokibi, also known as REvil, is a sophisticated ransomware-as-a-service (RaaS) variant known for its devastating impact on targeted systems and widespread distribution. It poses a significant threat to cybersecurity, encrypting files on infected systems and demanding ransom payments from victims in exchange for decryption keys. [Cybersight]. MGM- Reference guest stays Jan1,25.", "modified": "2026-05-14T02:18:30.475000", "created": "2026-05-13T04:27:13.098000", "tags": [ "file info", "score", "botnet", "file report", "tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "resolved ips", "unix", "blowfish", "sha1", "django", "pbkdf2sha256", "joomla", "wordpress", "ciscoios", "sha512", "ntlm", "win32", "expl", "antiyavl trojan", "ransom", "arctic wolf", "unsafe avast", "avira", "microsoft edge", "engine memory", "chakracore", "cve id", "cve20188541", "cve20188542", "cve20188551", "cve20188555", "cve20188556", "cve20188557", "share", "script md5", "share share" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 72, "FileHash-SHA256": 142, "URL": 217, "domain": 283, "hostname": 468, "FileHash-SHA1": 38, "Mutex": 1, "IPv4": 310, "CVE": 8, "IPv6": 4, "email": 2 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0050a164795207832b4331", "name": "*Dormant Destruction* VirusTotal report for index.html", "description": "This threat intelligence pulse tracks a long-dormant wiper, dating back to the early 2000s, which has persisted across multiple environments undetected. The malware features sophisticated, \"hidden\" destructive mechanisms capable of widespread data wiping. It appears to leverage administrative-level access, allowing it to move laterally and compromise systems extensively. Continued inaction regarding this infection chain poses a critical risk to data integrity. The ONLY way to fix this as it has taken over the root is by addressing the problem for what it actually is, the math and drops do not lie, deletion and new certs/exp certs will fail. The science is clear, the answer is foggy. Its best to see clearly.", "modified": "2026-05-12T06:40:06.849000", "created": "2026-05-10T09:32:17.372000", "tags": [ "mitre attack", "network info", "processes extra", "meta", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "system process", "sigma", "united", "federation", "file type", "yara", "creates", "pe32", "intel", "malicious", "persistence", "window", "default", "cname", "inprocserver32", "shell folders", "parent pid", "full path", "command line", "accept", "windows nt", "win64", "payload", "shutdown", "tofsee", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "sha256", "back", "windows sandbox", "calls process", "kb body", "civicplus", "network admin", "net192", "net1920000", "icone2", "llc orgid", "houston", "suite e", "city", "ks postalcode", "orgtechhandle", "orgtechref", "houston address", "e city", "address range", "cidr", "network name", "type", "status", "whois server", "entity icone2", "handle", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cus cnrapidssl", "rsa ca", "odigicert inc", "subject public", "key info", "thumbprint", "entity", "rdap database", "iana registrar", "host name", "links", "v3 serial", "cus olet", "encrypt cne8", "validity", "key algorithm", "ec oid", "value a", "please", "javascript", "ascii", "json", "openpgp secret", "extra info", "spawns", "layer protocol", "attack network", "allocated pa", "date", "ripe", "alphen", "rijn", "urls", "suricata ids", "smtp", "poland", "france", "germany", "canada", "japan", "slovakia", "toggle", "msie", "post", "wpaddetectedurl", "settingswpad", "wpaddhcp", "wpaddns", "dynamicloader", "static analysis", "first", "path", "enterprise", "service", "close", "zenbox android", "info", "pdf document", "adobe portable", "document format", "sha1", "bootkit", "loads" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 773, "URI": 5, "FileHash-MD5": 200, "FileHash-SHA1": 197, "IPv4": 304, "URL": 461, "domain": 319, "hostname": 315, "CIDR": 8, "email": 9, "Mutex": 1, "CVE": 62 }, "indicator_count": 2654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a905451e3304319988b", "name": ".may 4 clone own on may 5", "description": "", "modified": "2026-05-07T02:57:38.229000", "created": "2026-05-05T05:05:20.493000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f7fa1a282840a6e0aa370c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3143, "hostname": 2037, "IPv4": 186, "URL": 3288, "CIDR": 12, "email": 43, "domain": 1645, "URI": 1, "SSLCertFingerprint": 18, "CVE": 1 }, "indicator_count": 11083, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f7fa1a282840a6e0aa370c", "name": "May the 4th be with... every destructed file that never died", "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.", "modified": "2026-05-05T05:04:02.911000", "created": "2026-05-04T01:44:57.811000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3142, "hostname": 1890, "IPv4": 162, "URL": 3241, "CIDR": 12, "email": 37, "domain": 1616, "URI": 1, "SSLCertFingerprint": 18 }, "indicator_count": 10828, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.pegasus.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.pegasus.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222561.7840528 }