{
"type": "URL",
"indicator": "https://www.swiss-contribution.cz/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://www.swiss-contribution.cz/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4120819124,
"indicator": "https://www.swiss-contribution.cz/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 2,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68a0cb6a89a10d13623a0018",
"name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet",
"description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink",
"modified": "2025-09-15T16:04:47.043000",
"created": "2025-08-16T18:18:18.657000",
"tags": [
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"httponly",
"samesitelax",
"read c",
"medium",
"rgba",
"unicode",
"port",
"memcommit",
"delete",
"next",
"dock",
"write",
"execution",
"present aug",
"united",
"ip address",
"name servers",
"unknown ns",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"pattern match",
"show technique",
"ck matrix",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"href",
"size",
"t1480 execution",
"file defense",
"ascii text",
"trojan",
"passive dns",
"trojandropper",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"ipv4 add",
"urls",
"files",
"location united",
"ipv4",
"url analysis",
"america flag",
"america asn",
"backdoor",
"win32",
"malware",
"date",
"domain",
"segoe ui",
"a domains",
"security tls",
"san jose",
"asn8075",
"reverse dns",
"software",
"resource hash",
"general full",
"status",
"emails",
"expiration date",
"asp",
"microsoft oem",
"found",
"running webserver",
"netherlands",
"creation date",
"aaaa",
"certificate",
"protocol h2",
"name value",
"hash",
"present jun",
"present apr",
"moved",
"control att",
"t1573 encrypted",
"channel command",
"decrypted ssl",
"runtime process",
"appdata",
"windows nt",
"svg scalable",
"patch",
"internal",
"core",
"high",
"tcp syn",
"icmp traffic",
"dns query",
"av detections",
"ashburn",
"ai device id",
"telnet",
"windows script",
"microsoft",
"host",
"yara detections",
"pdb path",
"pe resource",
"script host",
"test",
"hostname add",
"files ip",
"domains",
"hashes",
"ireland",
"mtb jun",
"mtb may",
"device local",
"remotewd",
"nemtih",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses otx",
"present jul",
"domain add",
"colorado",
"quasi",
"contracts",
"botnet",
"remote access",
"virginia",
"c++",
"hacking",
"monitored target",
"silencing campaign",
"audio recording",
"cameras",
"full service",
"tactics"
],
"references": [
"Handled by Lumen Technologies | What kind of darkness is this?",
"https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider",
"dev.myhpnmedicaid.com",
"ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113",
"https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f",
"https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851",
"https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5",
"Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet",
"Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/",
"https://dotnet.microsoft.com/en-us/apps/aspnet",
"ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .",
"ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.",
"ASP.net Open source. A framework for building web apps and services with .NET and C#",
"Registrant Org: Japan Computer Emergency Response Team Coordination Center",
"Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com",
"Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/",
"Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx",
"Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com",
"http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "Trojan:Win32/Daws",
"display_name": "Trojan:Win32/Daws",
"target": "/malware/Trojan:Win32/Daws"
},
{
"id": "ELF:Mirai-ATI",
"display_name": "ELF:Mirai-ATI",
"target": null
},
{
"id": "Trojan:Win32/IRCbot",
"display_name": "Trojan:Win32/IRCbot",
"target": "/malware/Trojan:Win32/IRCbot"
},
{
"id": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Trojandropper:Win32/Muldrop.V!MTB",
"display_name": "Trojandropper:Win32/Muldrop.V!MTB",
"target": "/malware/Trojandropper:Win32/Muldrop.V!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1092",
"name": "Communication Through Removable Media",
"display_name": "T1092 - Communication Through Removable Media"
},
{
"id": "T1433",
"name": "Access Call Log",
"display_name": "T1433 - Access Call Log"
}
],
"industries": [
"Technology",
"Telecommunications",
"Contracts",
"Government",
"Finance",
"Insurance",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4880,
"domain": 575,
"hostname": 1419,
"FileHash-SHA256": 1745,
"FileHash-MD5": 284,
"FileHash-SHA1": 263,
"email": 5,
"CVE": 1
},
"indicator_count": 9172,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "257 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://l.us-1.a.mimecastprotect.com/l",
"div>
",
"Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/",
"https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com",
"I apologize for the lack of reference.",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Registrant Org: Japan Computer Emergency Response Team Coordination Center",
"ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113",
"Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx",
"ASP.net Open source. A framework for building web apps and services with .NET and C#",
"Requires further research.",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f",
"ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.",
"Same legal , and quasi governmental pattern identified",
"ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .",
"Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet",
"Handled by Lumen Technologies | What kind of darkness is this?",
"It appears there are 5-7 known affected that I was able to find",
"http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit",
"Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com",
"dev.myhpnmedicaid.com",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"https://dotnet.microsoft.com/en-us/apps/aspnet",
"https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851",
"Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/",
"https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojan:win32/daws",
"Tofsee",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Malware",
"Win.packed.generic-9967832-0",
"Icedid",
"Elf:mirai-ati",
"Custom malware",
"Trojan:win32/smkldr.h!mtb",
"#lowfi:lua:dllsuspiciousexport.a",
"Trojan:win32/ircbot",
"Mydoom",
"Trojandropper:win32/muldrop.v!mtb",
"Trojan:win32/zombie.a"
],
"industries": [
"Insurance",
"Technology",
"Civil society",
"Legal",
"Government",
"Finance",
"Contracts",
"Telecom",
"Telecommunications"
],
"unique_indicators": 21795
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/swiss-contribution.cz",
"whois": "http://whois.domaintools.com/swiss-contribution.cz",
"domain": "swiss-contribution.cz",
"hostname": "www.swiss-contribution.cz"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 2,
"pulses": [
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68a0cb6a89a10d13623a0018",
"name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet",
"description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink",
"modified": "2025-09-15T16:04:47.043000",
"created": "2025-08-16T18:18:18.657000",
"tags": [
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"httponly",
"samesitelax",
"read c",
"medium",
"rgba",
"unicode",
"port",
"memcommit",
"delete",
"next",
"dock",
"write",
"execution",
"present aug",
"united",
"ip address",
"name servers",
"unknown ns",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"pattern match",
"show technique",
"ck matrix",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"href",
"size",
"t1480 execution",
"file defense",
"ascii text",
"trojan",
"passive dns",
"trojandropper",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"ipv4 add",
"urls",
"files",
"location united",
"ipv4",
"url analysis",
"america flag",
"america asn",
"backdoor",
"win32",
"malware",
"date",
"domain",
"segoe ui",
"a domains",
"security tls",
"san jose",
"asn8075",
"reverse dns",
"software",
"resource hash",
"general full",
"status",
"emails",
"expiration date",
"asp",
"microsoft oem",
"found",
"running webserver",
"netherlands",
"creation date",
"aaaa",
"certificate",
"protocol h2",
"name value",
"hash",
"present jun",
"present apr",
"moved",
"control att",
"t1573 encrypted",
"channel command",
"decrypted ssl",
"runtime process",
"appdata",
"windows nt",
"svg scalable",
"patch",
"internal",
"core",
"high",
"tcp syn",
"icmp traffic",
"dns query",
"av detections",
"ashburn",
"ai device id",
"telnet",
"windows script",
"microsoft",
"host",
"yara detections",
"pdb path",
"pe resource",
"script host",
"test",
"hostname add",
"files ip",
"domains",
"hashes",
"ireland",
"mtb jun",
"mtb may",
"device local",
"remotewd",
"nemtih",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses otx",
"present jul",
"domain add",
"colorado",
"quasi",
"contracts",
"botnet",
"remote access",
"virginia",
"c++",
"hacking",
"monitored target",
"silencing campaign",
"audio recording",
"cameras",
"full service",
"tactics"
],
"references": [
"Handled by Lumen Technologies | What kind of darkness is this?",
"https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider",
"dev.myhpnmedicaid.com",
"ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113",
"https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f",
"https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851",
"https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5",
"Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet",
"Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/",
"https://dotnet.microsoft.com/en-us/apps/aspnet",
"ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .",
"ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.",
"ASP.net Open source. A framework for building web apps and services with .NET and C#",
"Registrant Org: Japan Computer Emergency Response Team Coordination Center",
"Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com",
"Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/",
"Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx",
"Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com",
"http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "Trojan:Win32/Daws",
"display_name": "Trojan:Win32/Daws",
"target": "/malware/Trojan:Win32/Daws"
},
{
"id": "ELF:Mirai-ATI",
"display_name": "ELF:Mirai-ATI",
"target": null
},
{
"id": "Trojan:Win32/IRCbot",
"display_name": "Trojan:Win32/IRCbot",
"target": "/malware/Trojan:Win32/IRCbot"
},
{
"id": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Trojandropper:Win32/Muldrop.V!MTB",
"display_name": "Trojandropper:Win32/Muldrop.V!MTB",
"target": "/malware/Trojandropper:Win32/Muldrop.V!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1092",
"name": "Communication Through Removable Media",
"display_name": "T1092 - Communication Through Removable Media"
},
{
"id": "T1433",
"name": "Access Call Log",
"display_name": "T1433 - Access Call Log"
}
],
"industries": [
"Technology",
"Telecommunications",
"Contracts",
"Government",
"Finance",
"Insurance",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4880,
"domain": 575,
"hostname": 1419,
"FileHash-SHA256": 1745,
"FileHash-MD5": 284,
"FileHash-SHA1": 263,
"email": 5,
"CVE": 1
},
"indicator_count": 9172,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "257 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://www.swiss-contribution.cz/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://www.swiss-contribution.cz/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780242293.9216816
}