{ "type": "URL", "indicator": "https://www.smiles.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.smiles.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3785930503, "indicator": "https://www.smiles.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c228009e33309be83b65b7", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-03-24T05:58:24.002000", "created": "2026-03-24T05:58:24.002000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "IPv4": 28, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c227fd2960e96cae88fb97", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-03-24T05:58:21.777000", "created": "2026-03-24T05:58:21.777000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "IPv4": 28, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d75bdc4bc5ba5cb6df7fb", "name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32", "description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom", "modified": "2025-09-01T01:01:18.030000", "created": "2025-08-02T02:19:41.646000", "tags": [ "cisco", "umbrella rank", "domain", "general full", "united", "reverse dns", "software", "kb script", "url https", "asn15169", "google", "resource", "hash", "value", "variables", "domainpath name", "name value", "august", "servaas klute", "americachicago", "verified", "ecdsa", "linux x8664", "khtml", "gecko", "aes128gcm", "maxradlinklen50", "encrypt", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "spawns", "mitre att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "show technique", "body", "date", "hybrid", "general", "path", "click", "strings", "meta", "present jul", "search", "entries", "ip address", "registrar", "creation date", "record value", "name servers", "servers", "found a", "location united", "asn as15169", "less whois", "mtb apr", "trojan", "trojandropper", "backdoor", "win32qqpass apr", "next associated", "files show", "date hash", "avast avg", "ipv4", "pulse pulses", "passive dns", "urls", "files", "hacktool", "ipv4 add", "virtool", "present aug", "present feb", "present jan", "gmt location", "gmt max", "certificate", "showing", "cowboy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2209, "domain": 801, "URL": 6114, "FileHash-SHA256": 2162, "FileHash-MD5": 184, "FileHash-SHA1": 187, "CIDR": 3, "SSLCertFingerprint": 2, "email": 1, "CVE": 2 }, "indicator_count": 11665, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d5b9a901f21d7148c4f08", "name": "Data Server - |Win.Trojan.Shiz, \u2022PWS:Win32/Simda.D", "description": "- dl.fdlserver.com appears to be or have been used as a software and / or data delivery service. Requires further investigation. It sure is malicious. Found in multiple attacks.\n*Win.Trojan.Shiz-664 , *PWS:Win32/Simda.D\nIDS Detections:\n\u2022 Unsupported/Fake Internet Explorer Version MSIE 2.\n\u2022 Unsupported/Fake Windows NT Version 5.0\nYara Detections: \n\u2022 generic_shellcode_downloader\nAlerts\n\u2022 polymorphic\n\u2022 procmem_yara\n\u2022 static_pe_anomaly\n\u2022 antiav_detectfile\n\u2022 deletes_self\n\u2022 dynamic_function_loading\n\u2022 network_http\n\u2022 packer_unknown_pe_section_name\n\u2022 packer_entropy\n\u2022 injection_rwx\n\u2022 stealth_network\n\u2022 queries_user_name\n\u2022 stealth_timeout\n\u2022 language_check", "modified": "2025-09-01T00:04:55.557000", "created": "2025-08-02T00:28:10.007000", "tags": [ "united", "entries", "passive dns", "virtool", "next associated", "ipv4 add", "pulse pulses", "urls", "files", "hosting", "body", "present jun", "present may", "present oct", "present apr", "present nov", "present jan", "present dec", "present jul", "netherlands", "present aug", "present feb", "creation date", "status", "ip address", "search", "name", "name servers", "expiration date", "date", "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "show", "write", "copy", "simda", "malware", "push", "extraction", "failed", "data upload", "include", "extraction data", "enter soudae", "lidi ad", "tewdaccarad ad", "ddawce type", "extri", "include review", "extra", "include data", "location united", "medium", "record value", "cowboy", "encrypt", "high" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 402, "FileHash-SHA1": 400, "FileHash-SHA256": 1798, "URL": 7586, "domain": 937, "hostname": 2470, "email": 1, "SSLCertFingerprint": 1, "CVE": 1 }, "indicator_count": 13596, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65618963e4e45d0c53f8e770", "name": "ww1.imobitracking.net", "description": "critical, cronup threat, cyber threat, data, serious, tracking, emails collection, relay router , emotet, exploit, content reputation.\n\nSerious tracking efforts, malicious.", "modified": "2023-12-25T03:01:27.395000", "created": "2023-11-25T05:42:59.043000", "tags": [ "creation date", "search", "passive dns", "urls", "address", "record value", "emails", "date", "showing", "body", "unknown", "cowboy", "encrypt", "resolver ip", "whois lookups", "server", "iana id", "registrar abuse", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "first", "dns replication", "algorithm", "key usage", "google", "record type", "ttl value", "cname", "data", "v3 serial", "contacted", "ssl certificate", "threat roundup", "march", "august", "referrer", "whois record", "communicating", "june", "april", "copy", "february", "cobalt strike", "remcos", "emotet", "core", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "phishing site", "malicious site", "malware", "internet storm", "united", "cyber threat", "heur", "malicious url", "mail spammer", "suppobox", "bambernek", "cronup threat", "team", "facebook", "malicious", "phishing", "download", "virut", "unruy", "bandoo", "matsnu", "tofsee", "simda", "vawtrak", "hotmail", "qakbot", "asyncrat", "tsara brashears", "no data", "count blacklist", "tag tag", "pattern match", "ascii text", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "appdata", "path", "hybrid", "general", "local", "click", "strings", "class", "generator", "critical", "error", "tor known", "tor relayrouter", "node tcp", "traffic", "host", "cins active", "poor reputation", "spammer", "barracuda et", "artemis", "iframe", "cleaner", "unsafe", "riskware", "agent", "wacatac", "bank", "opencandy", "nircmd", "swrort", "downldr", "crack", "presenoker", "filetour", "conduit", "xtrat", "azorult", "service", "runescape", "acint", "systweak", "behav", "tiggre", "genkryptik", "exploit", "xrat", "installcore", "patcher", "adload", "win64", "softcnapp", "union", "ponmocup", "fusioncore", "trojanspy", "webtoolbar", "maltiverse", "114.114.114.114", "tulach", "tracking", "apple", "illegal", "target", "c2", "cnc", "scanning_host", "CVE-2011-0611", "CVE-2017-0147", "CVE-2014-3153", "CVE-2016-0189", "CVE-2017-0199", "CVE-2017-8570", "CVE-2017-11882", "CVE-2018-4893", "CVE-2018-8174", "CVE-2020-0601", "CVE-2023-22518" ], "references": [ "ww1.imobitracking.net", "https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff", "114.114.114.114", "signin-appleid.jackpotiot.com", "https://www.anyxxxtube.net/media/favicon/apple", "http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://httpdev.findatoyota.com", "https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0", "t.prototype.hasownproperty.call", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Bandoo", "display_name": "Bandoo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1569, "FileHash-MD5": 489, "URL": 7420, "domain": 917, "FileHash-SHA1": 247, "email": 3, "FileHash-SHA256": 2578, "CVE": 11 }, "indicator_count": 13234, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "pegacloud.net", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "We can't connect to the server for this & x Lambda function", "IDS: OnionDuke CnC Beacon 1", "coolwebsearch.info | browser hijacker, malware , malicious", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://fakejuko.site40/", "https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "IDS: Observed Suspicious UA (Mozilla/5.0)", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "t.prototype.hasownproperty.call", "signin-appleid.jackpotiot.com", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "https://httpdev.findatoyota.com", "IDS Detections: Query for .cc TLD 403 Forbidden", "dropox.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1", "IDS: Win32/Ibashade CnC Beacon", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "The Lambda function associated with the CloudFront distribution was throttled.", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b", "https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "IDS: Data POST to an image file (jpg)", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "ww1.imobitracking.net", "IDS: Win32.Scar.hhrw POST", "https://www.anyxxxtube.net/media/favicon/apple", "http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html", "114.114.114.114" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cycbot", "Winsoft", "Webtoolbar", "Win.dropper.darkkomet-9370806-0", "Alf:heraklezeval:pua:win32/installcore.r", "Tags", "Unix.trojan.mirai-9441505-0", "Trojandropper:win32/ponmocup", "Suppobox", "Win.trojan.agent-36211", "Win.malware.mydoom-6804696-0\tworm:win32/mydoom win.malware.mydoom-6804696-0\tworm:win32/mydoom sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#lowfi:hstr:optimuminstal", "Ransom:win32/wannacrypt.h", "Win.downloader.14593-1", "Trojan:win32/danginex", "Tofsee", "Win32:wormx-gen [wrm]", "Pegasus - mob-s0005", "Private internet access", "Tiggre", "Mirai", "Win.trojan.generic-9909777-0", "Trojan.redirector.js", "Remcos", "Trojan:win32/bulta!rfn", "Virtool:win32/obfuscator.jm", "Tulach malware", "Win.trojan.generic-9909777-0 #lowfi:hstr:optimuminstaller", "Win.malware.generic-9963787-0", "Trojan:win32/mydoom", "Win.malware.agent-6598770-0", "Trojan.startpage-1612", "Worm:win32:drolnux", "Coolwebsearch", "Win.malware.generickdz-9918324-0", "Bandoo", "Trojan.cycbot-2671", "Checkin", "Virut", "Win.trojan.agent-336291", "Coolwebservice", "Xrat", "Win.ransomware.wanna-9769986-0", "Vawtrak", "Trojanspy", "Win.malware.installcore-9794583-0", "Opencandy", "Win. trojan.agent-292909" ], "industries": [ "Telecommunications", "Government", "Technology" ], "unique_indicators": 49496 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/smiles.com", "whois": "http://whois.domaintools.com/smiles.com", "domain": "smiles.com", "hostname": "www.smiles.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c228009e33309be83b65b7", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-03-24T05:58:24.002000", "created": "2026-03-24T05:58:24.002000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "IPv4": 28, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c227fd2960e96cae88fb97", "name": "Dropbox Typo squatting campaign. CoolWebSearch, CycBot , Mirai and Ransomware | Many domains affected.", "description": "Dropbox Typo squatting campaign. Mirai and Ransomware | Many domains affected.\n\nHas been executed. Threat actor attacked bank/s and Dropbox via Drive by compromises and malicious redirects. Multiple Dropbox accounts added to customer accounts confuse bank and customers. All accounts kept until Bank experienced serious breach. Bank admits to breach. Unsure if made public. Customer suddenly loses all paid storage, business tools , registered domains , and investment accounts. Bank empathizes targeted attacks.\nOccurred post initial infection & Pegasus Attack by same threat actors.", "modified": "2026-03-24T05:58:21.777000", "created": "2026-03-24T05:58:21.777000", "tags": [ "domain", "ipv4", "ck t1045", "run keys", "startup", "web protocols", "tool transfer", "user execution", "dns", "accept", "active related", "adversaries", "alerts", "apache", "as133618", "ascii text", "australia asn", "av detections", "christopher p ahmann", "brian sabey", "ck id", "ck matrix", "delete", "data upload", "defense evasion", "data", "cycbot", "cowboy", "coolwebsearch", "content", "contacted", "command", "connection", "delphi", "detection", "drop", "location", "manu", "dynamicloader", "elite", "emails", "encrypt", "error", "external", "extraction", "exploit", "failed", "gmt", "format", "forbidden", "privacy", "files", "feat file", "score", "refresh", "!redirect", "ratio", "redacted", "cycbot", "mirai", "unix", "ransomware", "trojan", "ransom", "query", "proximity", "pragma", "pegasus relationship", "typo squatting", "over path", "texarac", "name tactics", "h6rryf", "meta", "mitre att", "redirect", "malware", "malicious", "gmt server", "http header", "local", "little endian", "javascript", "is elf", "learn", "ipv4", "lambda", "lamk", "installer", "hall render", "index", "http request", "high risk", "insert", "ids detections", "informative", "indicator", "facts", "script style", "win32danginex", "trojanclicker", "trojan spy", "spyware", "udp", "windows", "vtab", "virtool", "trojan", "script strings", "stop data", "upatre", "spawns", "united states", "trojanspy", "tam legal", "secchuaplatform", "secchua", "virtool", "ransom", "quasi" ], "references": [ "dropox.com", "Win.Trojan.Agent-31647 \u2022 IDS: Detections CoolWebSearch Spyware (Feat)", "IDS Detections: Query for .cc TLD 403 Forbidden", "103.224.212.215 \u2022 rigs.zu0x.com \u2022 Australia : AS133618 trellian pty. limited", "UDP Include internal to internal communication Top Source 192.168.122.131 Top Destination 8.8.8.8 x", "u47.cc \u2022 IP Address 13.248.169.48, 76.223.54.146 | United States ASN AS16509 amazon.com", "u47.cc \u2022 | Domain is sinkholed | Registrar: ENAME TECHNOLOGY CO., LTD., x", "The Lambda function associated with the CloudFront distribution was throttled.", "We can't connect to the server for this & x Lambda function", "Error https://otx.alienvault.com/indicator/hostname/lb-212-215.above.com", "https://hybrid-analysis.com/sample/6ac18dcdfd4164ed7beeffffc995c5349c52b01dfObe5000f25294d698faf3b9/69c1b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win. Trojan.Agent-292909", "display_name": "Win. Trojan.Agent-292909", "target": null }, { "id": "Win.Trojan.Agent-336291", "display_name": "Win.Trojan.Agent-336291", "target": null }, { "id": "Trojan.Cycbot-2671", "display_name": "Trojan.Cycbot-2671", "target": null }, { "id": "Virtool:Win32/Obfuscator.JM", "display_name": "Virtool:Win32/Obfuscator.JM", "target": "/malware/Virtool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Agent-36211", "display_name": "Win.Trojan.Agent-36211", "target": null }, { "id": "Win.Malware.Agent-6598770-0", "display_name": "Win.Malware.Agent-6598770-0", "target": null }, { "id": "Win.Downloader.14593-1", "display_name": "Win.Downloader.14593-1", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Trojan:Win32/Danginex", "display_name": "Trojan:Win32/Danginex", "target": "/malware/Trojan:Win32/Danginex" }, { "id": "Trojan.Redirector.JS", "display_name": "Trojan.Redirector.JS", "target": null }, { "id": "Win.Ransomware.Wanna-9769986-0", "display_name": "Win.Ransomware.Wanna-9769986-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "CoolWebSearch", "display_name": "CoolWebSearch", "target": null }, { "id": "CycBot", "display_name": "CycBot", "target": null }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan:Win32/Bulta!rfn", "display_name": "Trojan:Win32/Bulta!rfn", "target": "/malware/Trojan:Win32/Bulta!rfn" }, { "id": "Trojan.Startpage-1612", "display_name": "Trojan.Startpage-1612", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 245, "FileHash-SHA256": 246, "IPv4": 28, "URL": 548, "CVE": 1, "SSLCertFingerprint": 6, "domain": 198, "email": 6, "hostname": 337 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d75bdc4bc5ba5cb6df7fb", "name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32", "description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom", "modified": "2025-09-01T01:01:18.030000", "created": "2025-08-02T02:19:41.646000", "tags": [ "cisco", "umbrella rank", "domain", "general full", "united", "reverse dns", "software", "kb script", "url https", "asn15169", "google", "resource", "hash", "value", "variables", "domainpath name", "name value", "august", "servaas klute", "americachicago", "verified", "ecdsa", "linux x8664", "khtml", "gecko", "aes128gcm", "maxradlinklen50", "encrypt", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "spawns", "mitre att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "show technique", "body", "date", "hybrid", "general", "path", "click", "strings", "meta", "present jul", "search", "entries", "ip address", "registrar", "creation date", "record value", "name servers", "servers", "found a", "location united", "asn as15169", "less whois", "mtb apr", "trojan", "trojandropper", "backdoor", "win32qqpass apr", "next associated", "files show", "date hash", "avast avg", "ipv4", "pulse pulses", "passive dns", "urls", "files", "hacktool", "ipv4 add", "virtool", "present aug", "present feb", "present jan", "gmt location", "gmt max", "certificate", "showing", "cowboy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2209, "domain": 801, "URL": 6114, "FileHash-SHA256": 2162, "FileHash-MD5": 184, "FileHash-SHA1": 187, "CIDR": 3, "SSLCertFingerprint": 2, "email": 1, "CVE": 2 }, "indicator_count": 11665, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d5b9a901f21d7148c4f08", "name": "Data Server - |Win.Trojan.Shiz, \u2022PWS:Win32/Simda.D", "description": "- dl.fdlserver.com appears to be or have been used as a software and / or data delivery service. Requires further investigation. It sure is malicious. Found in multiple attacks.\n*Win.Trojan.Shiz-664 , *PWS:Win32/Simda.D\nIDS Detections:\n\u2022 Unsupported/Fake Internet Explorer Version MSIE 2.\n\u2022 Unsupported/Fake Windows NT Version 5.0\nYara Detections: \n\u2022 generic_shellcode_downloader\nAlerts\n\u2022 polymorphic\n\u2022 procmem_yara\n\u2022 static_pe_anomaly\n\u2022 antiav_detectfile\n\u2022 deletes_self\n\u2022 dynamic_function_loading\n\u2022 network_http\n\u2022 packer_unknown_pe_section_name\n\u2022 packer_entropy\n\u2022 injection_rwx\n\u2022 stealth_network\n\u2022 queries_user_name\n\u2022 stealth_timeout\n\u2022 language_check", "modified": "2025-09-01T00:04:55.557000", "created": "2025-08-02T00:28:10.007000", "tags": [ "united", "entries", "passive dns", "virtool", "next associated", "ipv4 add", "pulse pulses", "urls", "files", "hosting", "body", "present jun", "present may", "present oct", "present apr", "present nov", "present jan", "present dec", "present jul", "netherlands", "present aug", "present feb", "creation date", "status", "ip address", "search", "name", "name servers", "expiration date", "date", "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "show", "write", "copy", "simda", "malware", "push", "extraction", "failed", "data upload", "include", "extraction data", "enter soudae", "lidi ad", "tewdaccarad ad", "ddawce type", "extri", "include review", "extra", "include data", "location united", "medium", "record value", "cowboy", "encrypt", "high" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 402, "FileHash-SHA1": 400, "FileHash-SHA256": 1798, "URL": 7586, "domain": 937, "hostname": 2470, "email": 1, "SSLCertFingerprint": 1, "CVE": 1 }, "indicator_count": 13596, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65618963e4e45d0c53f8e770", "name": "ww1.imobitracking.net", "description": "critical, cronup threat, cyber threat, data, serious, tracking, emails collection, relay router , emotet, exploit, content reputation.\n\nSerious tracking efforts, malicious.", "modified": "2023-12-25T03:01:27.395000", "created": "2023-11-25T05:42:59.043000", "tags": [ "creation date", "search", "passive dns", "urls", "address", "record value", "emails", "date", "showing", "body", "unknown", "cowboy", "encrypt", "resolver ip", "whois lookups", "server", "iana id", "registrar abuse", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "first", "dns replication", "algorithm", "key usage", "google", "record type", "ttl value", "cname", "data", "v3 serial", "contacted", "ssl certificate", "threat roundup", "march", "august", "referrer", "whois record", "communicating", "june", "april", "copy", "february", "cobalt strike", "remcos", "emotet", "core", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "phishing site", "malicious site", "malware", "internet storm", "united", "cyber threat", "heur", "malicious url", "mail spammer", "suppobox", "bambernek", "cronup threat", "team", "facebook", "malicious", "phishing", "download", "virut", "unruy", "bandoo", "matsnu", "tofsee", "simda", "vawtrak", "hotmail", "qakbot", "asyncrat", "tsara brashears", "no data", "count blacklist", "tag tag", "pattern match", "ascii text", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "appdata", "path", "hybrid", "general", "local", "click", "strings", "class", "generator", "critical", "error", "tor known", "tor relayrouter", "node tcp", "traffic", "host", "cins active", "poor reputation", "spammer", "barracuda et", "artemis", "iframe", "cleaner", "unsafe", "riskware", "agent", "wacatac", "bank", "opencandy", "nircmd", "swrort", "downldr", "crack", "presenoker", "filetour", "conduit", "xtrat", "azorult", "service", "runescape", "acint", "systweak", "behav", "tiggre", "genkryptik", "exploit", "xrat", "installcore", "patcher", "adload", "win64", "softcnapp", "union", "ponmocup", "fusioncore", "trojanspy", "webtoolbar", "maltiverse", "114.114.114.114", "tulach", "tracking", "apple", "illegal", "target", "c2", "cnc", "scanning_host", "CVE-2011-0611", "CVE-2017-0147", "CVE-2014-3153", "CVE-2016-0189", "CVE-2017-0199", "CVE-2017-8570", "CVE-2017-11882", "CVE-2018-4893", "CVE-2018-8174", "CVE-2020-0601", "CVE-2023-22518" ], "references": [ "ww1.imobitracking.net", "https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff", "114.114.114.114", "signin-appleid.jackpotiot.com", "https://www.anyxxxtube.net/media/favicon/apple", "http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://httpdev.findatoyota.com", "https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0", "t.prototype.hasownproperty.call", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Bandoo", "display_name": "Bandoo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1569, "FileHash-MD5": 489, "URL": 7420, "domain": 917, "FileHash-SHA1": 247, "email": 3, "FileHash-SHA256": 2578, "CVE": 11 }, "indicator_count": 13234, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.smiles.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.smiles.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776618380.692239 }