{ "type": "URL", "indicator": "https://www.window.open/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.window.open/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3775963094, "indicator": "https://www.window.open/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-04-19T07:36:41.138000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2, "IPv4": 1 }, "indicator_count": 18567, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69afd95e9073ee0f67be8694", "name": "URLSpirit Spyware | Targeted Device attacks | MITM attacks | AI and Browser Attacks", "description": "", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:42:06.133000", "tags": [ "msie", "chrome", "search", "united", "unknown ns", "taiwan unknown", "requested range", "ip address", "taiwan", "title", "tlsv1", "windows nt", "wow64", "slcc2", "media center", "stcalifornia", "lmountain view", "ogoogle llc", "unknown", "encrypt", "malware", "suspicious", "learn", "informative", "ck id", "name tactics", "command", "spawns", "found", "id name", "malicious", "over", "ascii text", "pattern match", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "http", "data upload", "enter scords", "one on", "extraction", "http request", "checkin", "observed dns", "query", "dns query", "domain", "lila windows", "all se", "file version", "product vers", "failed", "included ic", "review iocs", "ic data", "status", "ch ua", "emails", "servers", "for privacy", "record value", "trojan", "pegasus", "body", "palantir", "se antivirus", "ids deted", "domains", "tachnalnav dan", "origin", "pe versio", "include review", "exclude sugges", "stop data", "q search", "product", "contact data", "contact urlspirit", "url http", "hostname", "url https", "stop show", "types", "type", "indicator", "defense evasion", "sha1", "legalcopyngn", "copyugnt zur", "fileversic data", "exclude data", "no expiration", "ipv4", "filehashsha256", "filehashsha1", "filehashmd5", "macintosh", "khtml", "type indicator", "iocs", "sc type", "hong kong", "certificate", "enterprise", "adversaries", "evasion att", "urlspirit", "targeted att", "monitored target", "browser attacks", "ai chat", "next level", "quasi", "apple", "android", "windows" ], "references": [ "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Antivirus Detections: Win.Trojan.Agent-1190546", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "URLSpirit Spyware", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "quecompegasune.tk \u2022 hipicapegaso.com", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Incredibly false information, white screens , pink screens and chat erasure", "Definitely requires further research", "Pegasus Indicators deleted during pulse" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia" ], "malware_families": [ { "id": "URLSpirit", "display_name": "URLSpirit", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Technology", "Government", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 406, "FileHash-SHA1": 391, "FileHash-SHA256": 5770, "URL": 7299, "domain": 1307, "email": 13, "hostname": 2162, "CVE": 3, "SSLCertFingerprint": 45 }, "indicator_count": 17396, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b7cb05b2098c1d2bf20f", "name": "federal goverment clone cellbrite credit q vashti", "description": "", "modified": "2026-03-12T12:55:39.046000", "created": "2026-03-12T12:55:39.046000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": "696f7d467763ed4d4e74d133", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698037098c99c37cb91037c2", "name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple", "description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann", "modified": "2026-03-04T04:07:14.513000", "created": "2026-02-02T05:32:57.303000", "tags": [ "no expiration", "filehashsha256", "ipv4", "url http", "domain", "hostname", "filehashmd5", "filehashsha1", "iocs", "url https", "search", "type indicator", "review iocs", "role title", "create new", "pulse use", "pdf report", "pcap", "extraction", "sc data", "extre data", "include review", "exclude sugges", "data upload", "failed", "find s", "oo data", "enter source", "url or", "text drag", "expiration", "showing", "entries", "protect", "pulse show", "email abuse", "related pulses", "indicator role", "returnurl no", "drop", "pulse provide", "public tlp", "green", "adversary tags", "buzz", "x8664", "add tag", "groups add", "add industry", "trojan", "tags" ], "references": [ "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "Antivirus Detections: Trojan:Win32/Dorv.A", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org", "Antivirus Detections: Win.Malware.Pits-10035540-0", "Yara: Detections Delphi", "Alerts: infostealer_cookies antiav_detectfile", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "https://cpcontacts.apple4you.it", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://fs25.mygamesteam.com/download/underground-parking/", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Suspicious Activity potential UPnProxy", "Yara Detections: is__elf , ECHOBOT", "Alerts: dead_host network_icmp tcp_by", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Hungary" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "DDos:Linux/Gafgyt.YA!MTB", "display_name": "DDos:Linux/Gafgyt.YA!MTB", "target": "/malware/DDos:Linux/Gafgyt.YA!MTB" }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Pykspa.C", "display_name": "Pykspa.C", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Unix.Trojan.Gafgyt-698115", "display_name": "Unix.Trojan.Gafgyt-698115", "target": null }, { "id": "4-0 Win.Malware.Pits-10035540-0", "display_name": "4-0 Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Packed.Usteal-7531303-0", "display_name": "Win.Packed.Usteal-7531303-0", "target": null }, { "id": "tR", "display_name": "tR", "target": null }, { "id": "DeathHiddenTear (Large&Small HT) >", "display_name": "DeathHiddenTear (Large&Small HT) >", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1586, "FileHash-SHA1": 1479, "FileHash-SHA256": 1938, "URL": 4548, "domain": 1052, "hostname": 2501, "email": 9, "SSLCertFingerprint": 7, "CIDR": 2 }, "indicator_count": 13122, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69770bdfbdd845a3d5cb2484", "name": "Drive-by Compromise | Rootkit installed on Apple Device", "description": "Drive-by Compromise | Rootkit installed on Apple Device | The devices in this example are obviously compromised. We tested a device another Apple device by viewing a Sprouts Farmers Market E-commerce website. The App crashed revealing the source of the issue. I admit that even though device is HEAVILY compromised by threat actors; it continued to preform.\nThis week the Apple devices have experienced a series of BLACK & PINK stutters One had the letter \u2018P\u2019. The most important part of the research is who & why someone targets victims of crime who are either deceased or catastrophically injured. One victims \u2018voice\u2019 has been captured and is now calling people she knew and creeping them out. \n\nAlso curious about the \u2018Hello\u2019 api lineages. Malware packed. Check-ins & Bot Network found.\n\n[OTX auto populated- Here is the full list of URLs from the 20th anniversary of the birth of Daylin Olson, who was born and raised in New York in the US, and who he is now.]\n\n#stop", "modified": "2026-02-25T06:02:12.072000", "created": "2026-01-26T06:38:23.334000", "tags": [ "url https", "url http", "netherlands", "france", "united", "canada", "spain", "ascii text", "pattern match", "mitre att", "ck id", "null", "refresh", "title", "span", "hybrid", "general", "local", "path", "strings", "error", "tools", "look", "verify", "restart", "meta", "form", "bad traffic", "et info", "tls handshake", "failure", "flag", "windir", "openurl c", "prefetch2", "analysis", "ck matrix", "href", "network traffic", "encrypt", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "initial access", "zerobits", "allocationtype", "protect", "programfiles", "processhandle", "commitsize", "viewsize", "regionsize", "viewsize d5000", "viewsize c9000", "phishing", "filehandle", "report uid", "handles modules", "files amsi", "streams", "path filehandle", "porthandle", "modules files", "amsi streams", "accept", "starfield", "onload", "root", "backdoor", "passive dns", "next associated", "gmt location", "ipv4 add", "urls", "files", "search", "domain address", "markmonitor", "name server", "se referen", "ntprotec", "data upload", "extraction", "country", "overview dns", "requests domain", "date", "contacted hosts", "ip address", "defense evasion", "found", "size", "mask", "enterprise", "trojanspy", "checkin", "gmt content", "vercel x", "twitter", "trojan", "malware", "for privacy", "servers", "domains ii", "record value", "ca issuers", "unknown aaaa", "status", "present jul", "moved", "present jan", "present oct", "present sep", "unknown ns", "present dec", "ipv4", "url analysis", "location united", "1.25.26", "q.vashti pulse", "cloud", "foundry", "process details", "formbook cnc", "cape", "autoit", "high", "formbook", "yara rule", "delete", "get na", "write", "unknown", "copy", "autoit error", "autoIt paused", "global", "div div", "script script", "h6 div", "p div", "registrar", "project", "showing", "emails", "name servers", "ids detec", "domain", "hostname", "hello", "spyware" ], "references": [ "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "NtProtectVirtualMemory@NTDLL.DLL", "66.33.60.130 command_and_control", "76.76.21.61 command_and_control", "IDS Detections Trojan.Generic.KDV.545753 Checkin", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "http://cve.chainguard.dev", "http://partners.spycloud.com", "https://signin-pro-azure.crayon.com/signin-oidc", "Invalid IP (052.105.023.053)", "https://codesearch.criteois.com/opengrok/search?q=", "https://grok-chatbot.tapnetic.pro/$", "spywarewatchdog.org", "http://git.spywarewatchdog.org", "https://bot.dev.talos-systems.io/", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Dropper.Gh0stRAT-10028210-0", "display_name": "Win.Dropper.Gh0stRAT-10028210-0", "target": null }, { "id": "Backdoor:Win32/Kanav.A", "display_name": "Backdoor:Win32/Kanav.A", "target": "/malware/Backdoor:Win32/Kanav.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Trojan.Upatre-3371", "display_name": "Win.Trojan.Upatre-3371", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.A", "display_name": "TrojanDownloader:Win32/Upatre.A", "target": "/malware/TrojanDownloader:Win32/Upatre.A" }, { "id": "Win.Dropper.LokiBot-10010685-0", "display_name": "Win.Dropper.LokiBot-10010685-0", "target": null }, { "id": "Win.Packed.Dapato-10021645-0", "display_name": "Win.Packed.Dapato-10021645-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Packed.Malwarex-9792170-0", "display_name": "Win.Packed.Malwarex-9792170-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "AutoIt", "display_name": "AutoIt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" } ], "industries": [ "Ecommerce", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6777, "domain": 907, "hostname": 2070, "FileHash-SHA256": 1120, "FileHash-MD5": 202, "FileHash-SHA1": 184, "SSLCertFingerprint": 23, "email": 4 }, "indicator_count": 11287, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696f7d467763ed4d4e74d133", "name": "Federal Government-Cellebrite Attack found actively targeting iOS and other devices | Mirai login attempts | TelNet Login", "description": "https://cellebrite.com/en/federal-government/ | Found on a crime victims devices. Targets abused by spyware in an unethical manner by andvesarial \u2018governmental\u2019 possibly \u2018contracted\u2019 entities. Waged against targets such as victims of crime , journalists , researchers , students. Target Users: Serves public safety, enterprise, and government sectors, aiding first responders, investigators, prosecutors, and analysts. How it's Used Law enforcement uses it to unlock devices and retrieve evidence like messages, location history, and app data for criminal investigations. It helps uncover critical information from digital devices, even recovering data that users thought was permanently deleted. Controversy & Privacy Concerns While marketed as a tool for lawful investigations, its powerful data extraction capabilities raise significant privacy concerns and ethical debates.", "modified": "2026-02-19T12:05:47.166000", "created": "2026-01-20T13:04:06.622000", "tags": [ "url https", "url http", "germany", "united", "ukraine", "japan", "extraction", "data upload", "urls", "url analysis", "enter sc", "extr", "iocs", "active", "france unknown", "present jan", "servers", "homair sweet", "grabber", "encrypt", "ipv4", "role title", "divx", "pitfall", "internet", "ip role", "america asn", "extraction data", "leveibielabs", "all se", "enter source", "url or", "texirag", "drop", "present nov", "united states", "america", "levdibidelabs", "failed", "idron anv", "include manualv", "review data", "iterng", "name servers", "passive dns", "incapsula", "meta name", "robots content", "x ua", "ieedge chrome1", "script head", "request", "cookie", "indicator", "msie", "chrome", "backdoor", "gmt content", "ipv4 add", "twitter", "title", "process32nextw", "ms windows", "intel", "pe32", "regopenkeyexa", "read c", "medium", "class", "write", "template", "present oct", "present jul", "aaaa", "present sep", "present aug", "url add", "http", "hostname", "related tags", "kx81xdbx0f", "x86xd3", "xa7xe28x06", "x82xd4", "delete c", "regsetvalueexa", "regbinary", "xa1xf1", "xe8xc2x14", "malware", "stream", "unknown", "win32", "persistence", "execution", "push", "present dec", "italy", "present jun", "embeddedwb", "whitelisted", "windows nt", "dns traffic", "russia", "cname", "accept", "destination", "port", "et smtp", "message", "et trojan", "components", "suspicious", "download", "hostile", "next", "logic", "gather victim", "et info", "etpro trojan", "trojan", "report spam", "interesting", "created", "pegasus", "manipulation", "service", "capture", "et", "etpro", "host", "attack", "mtb description", "windows", "shellexecuteexw", "writeconsolew", "registry", "t1031", "modify existing", "dock", "type indicator", "added active", "related pulses", "arcflex", "filehashsha1", "types of", "learn more", "filehashsha256", "cellebrite", "white label", "search", "sha1", "france", "cmanual jan", "expiration date", "domain add", "pulse submit", "files", "ip address", "gmt cache", "sameorigin", "reverse dns", "unknown ns", "admin org", "zipcode", "gmt server", "pulse pulses", "entries", "hostname add", "verdict", "germany unknown", "status", "domain", "xpirat", "netherlands", "netherlands asn", "as35280 acorus", "dns resolutions", "error", "files ip", "copy", "telnet login", "suspicious path", "busybox", "login attempt", "gpl telnet", "high", "tcp syn", "telnet root", "path", "mirai", "emails", "domain name", "jlu11q", "tqbplo", "hours ago", "found", "yahoo", "gmail", "yandex", "https://cellebrite.com/en/federal-government/", "monitoring", "monitored target", "dangerous", "spyware", "80211", "colorado", "x amz", "government", "mirai login attempt", "emotet", "c2", ".ru", ".com", "denver", "indicator role", "title added", "active related", "pulses hostname", "dead connect", "hostile", "adversarial", "abuse", "criminal intent", "block messages", "botnet" ], "references": [ "fastwebnet.it | Cellebrite White Label Spyware Service", "putrhnwl.exe", "Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "IP\u2019s Contacted : 54.230.129.165", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Domains Contacted: pitfall.divx.com www.google.com", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Yara: Detections Tofsee", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "ET TROJAN Suspicious double Server Header", "ET DNS DNS Query to a .tk domain - Likey", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "Needs to be sorted. Actively being exploited on US", "162.159.134.42 \u2022 https://cellebrite.com/", "https://cellebrite.com/en/federal-government/", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Ireland", "Switzerland", "Poland", "Belgium", "Netherlands", "Sweden" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Aptdrop.RU", "display_name": "Trojan:Win32/Aptdrop.RU", "target": "/malware/Trojan:Win32/Aptdrop.RU" }, { "id": "Ransomware/Win.Stop.R4529", "display_name": "Ransomware/Win.Stop.R4529", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Win32/BackdoorX", "display_name": "Win32/BackdoorX", "target": null }, { "id": "Win.Trojan.Dialog-9873788-0", "display_name": "Win.Trojan.Dialog-9873788-0", "target": null }, { "id": "Tsunami-6981155-0", "display_name": "Tsunami-6981155-0", "target": null }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Backdoor:Linux/DemonBot", "display_name": "Backdoor:Linux/DemonBot", "target": "/malware/Backdoor:Linux/DemonBot" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1196", "name": "Control Panel Items", "display_name": "T1196 - Control Panel Items" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1581", "name": "Geofencing", "display_name": "T1581 - Geofencing" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Journalists", "Government", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4994, "domain": 2519, "hostname": 3281, "FileHash-SHA256": 4467, "FileHash-MD5": 1118, "FileHash-SHA1": 1056, "email": 12, "SSLCertFingerprint": 1 }, "indicator_count": 17448, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69612a0df518040b20932bef", "name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store", "description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]", "modified": "2026-02-08T15:00:50.749000", "created": "2026-01-09T16:17:17.632000", "tags": [ "defense evasion", "cor ta0011", "techni process", "application l", "encrypted ch", "christ jesus", "just", "final charge", "timothy10", "antioch", "iconium", "lystra", "lord", "holy scriptures", "scripture", "bible gateway", "no expiration", "expiration", "a domains", "present sep", "united", "present jun", "meta", "present oct", "present aug", "servers", "title", "data upload", "extraction", "palantir foundry", "listeners", "dev", "redirects", "redirect health", "health data", "utc google", "utc na", "script", "utc amazon", "bible", "meta tags", "read", "bible reading", "trackers google", "anchor", "analyse headers", "contenttype", "transferenco", "connection", "date fri", "server", "read c", "as16509", "rgba", "unicode", "execution", "dock", "write", "persistence", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "moved", "urls", "pegasus", "encrypt", "script urls", "record value", "tls handshake", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "next", "capture", "malware", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "access att", "t1189 driveby", "html", "mitre att", "ck matrix", "ascii text", "pattern match", "et info", "bad traffic", "hybrid", "general", "local", "path", "click", "adversaries", "execution att", "t1204 user", "t1480 execution", "null", "refresh", "span", "strings", "error", "tools", "look", "verify", "restart", "timothy", "search", "tag manager", "g8t6ln06z40", "code", "css", "js", "router", "cloudfront", "John 12:17", "port", "yara rule", "high", "tofsee", "rndhex", "rndchar", "destination", "loaderid", "lidfileupd", "stream" ], "references": [ "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://pegasus.pahamify.com/", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "John 12:17" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bible Gateway", "display_name": "Bible Gateway", "target": null }, { "id": "Pahamify Pegasus", "display_name": "Pahamify Pegasus", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6527, "hostname": 2450, "FileHash-SHA256": 1716, "FileHash-MD5": 245, "FileHash-SHA1": 134, "domain": 1101, "email": 3, "SSLCertFingerprint": 8 }, "indicator_count": 12184, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6958372ef9da31513d96bebb", "name": "Connected-IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation", "description": "Retaliation? IOS remotely connected to 180.4.1.2 \u2022 ocn.ad.jp -NTT Communications Corporation for malicious control | found in the analytics of a highly target device: I\u2019ve included related pulses from 2 other threat responders and an Apple discussion post. Surprisingly, most of the IoC\u2019s pulsed came from one page of analytics. | \u2022 \"avconferenced\", \"procPath\" : \"\\/usr\\/libexec\\/avconferenced | 180.4.1.2 | a version of\npegasus found. | https://prometheus-pushgateway-internal.preview.tp-staging.com/\t\nhostname: prometheus.netmaker.vonnue.dev\t\nhostname: prometheus.dev.aws.finoa.io |\nSince Prometheus pulse . I realize now every Prometheus pulse illicits outrageous behavior.. Is this a secret society? Try to be more secretive. Owl heads in lawn. This behavior illicits investigation for a fix. Please STOP. I\u2019m done looking at Prometheus. Please stop leaving artifacts.", "modified": "2026-02-01T20:00:08.812000", "created": "2026-01-02T21:22:54.247000", "tags": [ "syscall", "nsrunloop", "objcclass", "region type", "start", "vsize", "prtmax shrmod", "region detailn", "unused space", "at startn", "guard", "urls", "url analysis", "verdict", "domain", "address", "location japan", "hikone", "japan asn", "as4713 ntt", "related tags", "none external", "aaaa", "united", "passive dns", "ip address", "japan", "present dec", "domain add", "files", "japan unknown", "present jul", "present oct", "present sep", "present aug", "present jun", "japan showing", "urls show", "date checked", "url hostname", "server response", "google safe", "reverse dns", "present nov", "present", "present may", "present mar", "present apr", "data upload", "extraction", "failed", "files ip", "moved", "gmt content", "ipv4 add", "location united", "title", "ipv4", "dns resolutions", "hostname add", "asn as4713", "all ipv4", "google", "ocn ntt", "googlecl", "http", "amazon02", "akamaias", "page url", "yahoojp", "december", "jp summary", "february", "asn15169", "tokyo", "kansas city", "asn396982", "asn30286", "asn16509", "cisco", "umbrella rank", "cisco umbrella", "rank", "kitashinagawa", "sureserver ev", "ca g3", "domains", "hashes", "microsoft", "docomo business", "ml14325", "as autonomous", "asn8075", "ip information", "ipasns ip", "detail domain", "domain tree", "links domain", "requested", "value", "automatic", "webgl", "please", "mr value", "muid value", "mjl function", "dcmlinker", "paq string", "kb script", "b image", "b script", "frame a344", "redirect chain", "kb document", "frame", "b xhr", "kb image", "fetch collect", "request chain", "redirected", "http redirect", "name servers", "redacted for", "servers", "unknown aaaa", "search", "for privacy", "domeny serwery", "verdana tahoma", "arial", "gmt contenttype", "meta", "small", "results jan", "present jan", "status", "record value", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "process details", "flag", "japan japan", "pattern match", "ascii text", "mitre att", "ck id", "null", "refresh", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "learn", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "monitored target", "pulse submit", "wikipedia", "imap", "smtp", "ocn open", "discussion", "stub", "jprs database", "ocnnttocn", "maintenance", "outages notice", "lock status", "state", "connected", "organization", "type", "name", "server", "name server", "connected date", "algorithm", "key identifier", "data", "v3 serial", "number", "cjp ocybertrust", "ev ca", "g3 validity", "ku ontt", "docomo", "record type", "ttl value", "thumbprint", "emails", "date", "trojan", "pegasus", "title error", "hostname", "pulse pulses", "entries", "mtb apr", "lowfi", "win32", "a domains", "body", "worm", "virtool", "cybota", "showing", "palantir", "prometheus" ], "references": [ "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp", "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp", "ocn.ad.jp - Registrant Org: NTT Communications Corporation", "Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN", "Nippon Telegraph and Telephone Corporation one governmental now privated", "computersandsoftware \u2022 portal sites \u2022 search engines and portals", "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com", "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2", "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80", "https://discussions.apple.com/thread/255214328?sortBy=rank", "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators", "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact", "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com", "swarm-foundry.com", "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art", "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com", "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5", "server-3-164-143-102.nrt20.r.cloudfront.net", "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com", "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com", "https://ww41.porn25.com/", "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA", "If something curious is found on privatelybowen property we have a constitutional right to examine it.", "Other constitutional rights and privileges written in law where severe courses of action is allowed", "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..", "Device targeted with l RMS Modules by male in Denver, Co", "Attempts to clip target at high rate of speed.Seen again at her residence in October", "Target was monitored in store and followed home needed to stop multiple times , change routes.", "Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.", "Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents", "The older the smarter the way better. These people are brilliant , ruthless and dangerous", "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.", "Malicious activity seen since a Pulse regarding school outage.", "Location search was used to find device users address. It\u2019s with me.", "Delete service is being used on this Threat service", "Many indicators point to an IP this block is on.", "It\u2019s so out of hand,m for 16 people.", "https://prometheus-pushgateway-internal.preview.tp-staging.com/", "prometheus.netmaker.vonnue.dev", "prometheus.dev.aws.finoa.io", "Prometheus - Alien God? Morality through the eyes of the immoral", "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2879, "domain": 1372, "URL": 5788, "FileHash-SHA256": 1720, "CVE": 1, "FileHash-MD5": 238, "FileHash-SHA1": 241, "email": 13 }, "indicator_count": 12252, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "76 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694dc80ac6e7fd5474b316a1", "name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal", "description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |", "modified": "2026-01-24T22:05:13.068000", "created": "2025-12-25T23:26:02.712000", "tags": [ "hash avast", "avg clamav", "msdefender feb", "url http", "url https", "zipcode", "active related", "cage01195 dec", "passports", "ipv4", "active", "irs", "apple", "role title", "indicator role", "malware attacks", "find encrypted", "lumen", "fastly", "create c", "read c", "delete", "write", "default", "medium", "rgba", "dock", "execution", "xport", "united", "passive dns", "urls", "expiration date", "unknown ns", "unknown aaaa", "pulse pulses", "merit", "dod network", "type indicator", "related pulses", "name", "name servers", "ffffff", "ip address", "emails", "object", "clsid6bf52a52", "cookie", "meta", "united kingdom", "germany", "russia", "search", "added active", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "href", "pattern match", "ascii text", "ck id", "mitre att", "ck matrix", "t1071", "general", "local", "path", "iframe", "click", "beginstring", "segoe ui", "null", "refresh", "span", "hybrid", "strings", "error", "tools", "title", "look", "verify", "restart", "data upload", "extraction", "failed", "include data", "entries", "unicode", "high", "memcommit", "next", "flag", "process details", "path expiresthu", "moved", "gmt set", "domain", "httponly path", "encrypt", "leaseweb", "iowa", "title added", "bad traffic", "et info", "tls handshake", "failure", "command decode", "suricata stream", "circle", "f5f8fa", "learn", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "suricata http", "windows nt", "date", "ips initial", "prefetch8", "localappdata", "prefetch1", "programfiles", "edge", "access att", "t1566 phishing", "initial access", "show process", "show technique", "process", "t1057", "contacted", "ck techniques", "evasion att", "body", "report spam", "apple", "ddos", "irs created", "hours ago", "white", "apple user", "industries", "government", "finance", "trojandropper", "appleservice", "mirai", "trojan", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "alerts", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "analysis date", "file score", "medium risk", "copy", "richhash", "finding notes", "clamav malware", "files matching", "number", "sample analysis", "samples show", "date hash", "yara rule", "msie", "t1063", "windows", "malware", "detected", "https domain", "tls sni", "markus", "smartassembly", "win64", "exif data", "present dec", "status", "showing", "show", "icmp traffic", "pdb path", "crlf line", "mutex", "ms defender", "mtb malware", "hide samples", "rootkit", "apple webkit", "macbook pro", "apple ios" ], "references": [ "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "http://sissy.com/default - Adult Content", "https://eliyporasa - Adult Content", "64.38.232.180 - Adult Content IP", "www.anyxxxtube.net - Adult Content", "www.anyxxxtube.net - Adult Content IP", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "asp.bet", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "Information gathered equals 2 pulses. Pulse (1) included", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "Follow up need. This is a serious financial crime following the victims.", "Victims have lost financial assets, jobs, vehicles", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.Ramnit-1847", "display_name": "Win.Trojan.Ramnit-1847", "target": null }, { "id": "Win.Trojan.Fenomengame-14", "display_name": "Win.Trojan.Fenomengame-14", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Adialer", "display_name": "ALF:JASYP:Trojan:Win32/Adialer", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]", "display_name": "ELF:DDoS-S\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Gafgyt-6981154-0", "display_name": "Unix.Trojan.Gafgyt-6981154-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [ "Financial", "Government", "Technology", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 360, "FileHash-SHA256": 3009, "URL": 3504, "domain": 879, "email": 15, "hostname": 1487, "SSLCertFingerprint": 3 }, "indicator_count": 9620, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "84 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2bb5d9ee8577ab5519f2c", "name": "Meritshealth with DoD links? ", "description": "", "modified": "2026-01-13T00:05:56.401000", "created": "2025-10-05T18:39:25.286000", "tags": [ "gtmk5nxqc6", "utc amazon", "utc na", "acceptencoding", "gmt contenttype", "connection", "true pragma", "gmt setcookie", "httponly", "gmt vary", "nc000000 up", "html document", "unicode text", "utf8 text", "oc0006 http", "http traffic", "https http", "mitre att", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "number", "ja3s", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "get http", "dns resolutions", "registrar", "markmonitor inc", "country", "resolver domain", "type name", "html", "apnic", "apnic whois", "please", "rirs", "cidr", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "development att", "name tactics", "binary file", "ck matrix", "wheelchair", "iamrobert", "pattern match", "ascii text", "href", "united", "general", "local", "path", "encrypt", "click", "passive dns", "urls", "files", "reverse dns", "netherlands", "present aug", "a domains", "moved", "first pqc", "ip address", "unknown ns", "unknown aaaa", "title", "body", "meta", "window", "accept", "body doctype", "welcome", "ok server", "gmt content", "present jul", "present sep", "aaaa", "hostname", "error", "defense evasion", "windows nt", "response", "vary", "strings", "core", "t1027.013 encrypted/encoded", "michelin lazy k", "prefetch8", "flag", "date", "starfield", "hybrid", "mobility cr", "extraction", "data upload", "include", "o url", "url url", "included i0", "review ioc", "excluded ic", "suggested", "find sugi", "failed", "cre pul", "enter", "enter sc", "type", "enric", "extra", "type opaste", "data u", "included", "copy md5", "copy sha1", "copy sha256", "null", "refresh", "tools", "look", "verify", "restart", "t1480 execution", "expiration", "url https", "no expiration", "iocs", "ipv4", "text drag", "drop or", "browse to", "select file", "redacted for", "server", "privacy tech", "privacy admin", "postal code", "stateprovince", "organization", "email", "code", "quantum rooms", "sam somalia", "emp", "porn", "media defense", "gov porn", "suck my nips", "reimer suspect", "jeffrey reimer", "dod", "department of defense", "show", "date checked", "url hostname", "server response", "google safe", "results may", "entries http", "scans record", "value status", "sabey type", "merits fake", "y.a.s.", "pornography", "ramsom" ], "references": [ "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "https://meumundogay-com.sexogratis.page/locker", "https://es.pornhat.com/models/the-sex-creator/", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "Can the DoD no questions asked target a SA victim", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "There is fear in silence or speaking out", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "If someone is believed to be a threat they have right to due process.", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "iamrobert.com Y.A.S.", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "Target agreed and complied with all lie detector measures.", "Is the family allowed to have a funeral for Tsara or print an obituary", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "I am very upset. Whoever is doing this is sick." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "TA0042", "name": "Resource Development", "display_name": "TA0042 - Resource Development" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.008", "name": "Disable Cloud Logs", "display_name": "T1562.008 - Disable Cloud Logs" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" } ], "industries": [], "TLP": "white", "cloned_from": "68e2b14d83bb63502feac65e", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1365, "URL": 11172, "hostname": 2780, "FileHash-MD5": 381, "FileHash-SHA256": 4420, "FileHash-SHA1": 338, "CIDR": 4, "SSLCertFingerprint": 24, "CVE": 1, "email": 1 }, "indicator_count": 20486, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2b14d83bb63502feac65e", "name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.", "description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?", "modified": "2026-01-07T00:00:30.717000", "created": "2025-10-05T17:56:29.109000", "tags": [ "gtmk5nxqc6", "utc amazon", "utc na", "acceptencoding", "gmt contenttype", "connection", "true pragma", "gmt setcookie", "httponly", "gmt vary", "nc000000 up", "html document", "unicode text", "utf8 text", "oc0006 http", "http traffic", "https http", "mitre att", "control ta0011", "protocol t1071", "match info", "t1573 severity", "info", "number", "ja3s", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft cus", "get http", "dns resolutions", "registrar", "markmonitor inc", "country", "resolver domain", "type name", "html", "apnic", "apnic whois", "please", "rirs", "cidr", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "development att", "name tactics", "binary file", "ck matrix", "wheelchair", "iamrobert", "pattern match", "ascii text", "href", "united", "general", "local", "path", "encrypt", "click", "passive dns", "urls", "files", "reverse dns", "netherlands", "present aug", "a domains", "moved", "first pqc", "ip address", "unknown ns", "unknown aaaa", "title", "body", "meta", "window", "accept", "body doctype", "welcome", "ok server", "gmt content", "present jul", "present sep", "aaaa", "hostname", "error", "defense evasion", "windows nt", "response", "vary", "strings", "core", "t1027.013 encrypted/encoded", "michelin lazy k", "prefetch8", "flag", "date", "starfield", "hybrid", "mobility cr", "extraction", "data upload", "include", "o url", "url url", "included i0", "review ioc", "excluded ic", "suggested", "find sugi", "failed", "cre pul", "enter", "enter sc", "type", "enric", "extra", "type opaste", "data u", "included", "copy md5", "copy sha1", "copy sha256", "null", "refresh", "tools", "look", "verify", "restart", "t1480 execution", "expiration", "url https", "no expiration", "iocs", "ipv4", "text drag", "drop or", "browse to", "select file", "redacted for", "server", "privacy tech", "privacy admin", "postal code", "stateprovince", "organization", "email", "code", "quantum rooms", "sam somalia", "emp", "porn", "media defense", "gov porn", "suck my nips", "reimer suspect", "jeffrey reimer", "dod", "department of defense", "show", "date checked", "url hostname", "server response", "google safe", "results may", "entries http", "scans record", "value status", "sabey type", "merits fake", "y.a.s.", "pornography", "ramsom" ], "references": [ "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "https://meumundogay-com.sexogratis.page/locker", "https://es.pornhat.com/models/the-sex-creator/", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "Can the DoD no questions asked target a SA victim", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "There is fear in silence or speaking out", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "If someone is believed to be a threat they have right to due process.", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "iamrobert.com Y.A.S.", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "Target agreed and complied with all lie detector measures.", "Is the family allowed to have a funeral for Tsara or print an obituary", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "I am very upset. Whoever is doing this is sick." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "TA0042", "name": "Resource Development", "display_name": "TA0042 - Resource Development" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.008", "name": "Disable Cloud Logs", "display_name": "T1562.008 - Disable Cloud Logs" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1328, "URL": 9931, "hostname": 2621, "FileHash-MD5": 381, "FileHash-SHA256": 4360, "FileHash-SHA1": 338, "CIDR": 4, "SSLCertFingerprint": 24, "CVE": 1, "email": 1 }, "indicator_count": 18989, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692a86b454eea18b993a2078", "name": "DC RAT Injection | Endgame Systems | Lazarus Group related", "description": "Monitoring. MITRE ATT&CK (T1057) Monitored target/s. DNS requests. Property discovery \n\nRelated to Lazarus Groups expansion", "modified": "2025-12-29T03:02:56.986000", "created": "2025-11-29T05:37:56.021000", "tags": [ "ukraine", "win32", "dynamicloader", "ssl cert", "write c", "asyncrat", "various rat", "dcrat", "write", "guard", "malware", "all ipv4", "ukraine asn", "dns resolutions", "domains top", "level", "read c", "memcommit", "user execution", "delete", "msie", "windows nt", "dock", "execution", "masking", "yara rule", "high", "windows", "msvisualcpp60", "process", "intel", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "access att", "t1566 phishing", "flag", "ukraine ukraine", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "dynu", "mitre att", "ck matrix", "ascii text", "pattern match", "network traffic", "t1071", "t1057", "general", "local", "path", "beginstring", "segoe ui", "null", "refresh", "body", "click", "strings", "error", "tools", "title", "look", "verify", "restart" ], "references": [ "https://hybrid-analysis.com/sample/64e591d43f920a5194806bba9da40e0344db5333cd773da4df4f27259222529d/692a7e373e637b291e0a0957", "Statutory Masking Enabled - a domain registrar is hiding the public contact information for a domains", "registrant in its WHOIS record, often due to regulations like GDPR or ICANN policies.", "MITRE ATT&CK (T1057) Monitoring Target/s. Can be reviewed in Hybrid-Analysis sample." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B", "display_name": "ALF:HeraklezEval:Trojan:Win32/AmsiTamper.B", "target": null }, { "id": "Win.Trojan.DcRat-10039889-0", "display_name": "Win.Trojan.DcRat-10039889-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "TA0039", "name": "Remote Service Effects", "display_name": "TA0039 - Remote Service Effects" }, { "id": "TA0038", "name": "Network Effects", "display_name": "TA0038 - Network Effects" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 482, "URL": 819, "FileHash-SHA256": 274, "domain": 102, "email": 1, "FileHash-MD5": 73, "FileHash-SHA1": 65, "SSLCertFingerprint": 1 }, "indicator_count": 1817, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6919473b9e0624394e9b68e9", "name": "Backdoor:Linux/DemonBot Affecting Unsecured servers", "description": "A closer look at a hacker group found in Mirai Bot Network. Catgirls is still active , has running web server , is only viewable to group according to remarks regarding \u2018catgirls\u2019 domains , sub domains , hosts.\n\n Multiple hosts , name servers and links. .Backdoor:Linux/DemonBot Malicious attacks affecting unsecured servers (personal , business) networks, DDOS attacks , Mitre. Worm, Ransomware. \n\nHacker group has seemingly caused a fair ammunition of damage to small businesses and / or individuals/civil society.. Seen in attacks against handful of targets are in this Mirai Botnet. Of course we know how very large the Mirai Botnet is.", "modified": "2025-12-16T03:02:09.743000", "created": "2025-11-16T03:38:35.430000", "tags": [ "server", "algorithm", "x509v3 subject", "registrar abuse", "v3 serial", "spaceship", "community", "related pulses", "cidr", "mirai botnet", "hacker", "mirai att", "ck id", "group", "active", "generic pong", "reporting arch", "msie", "windows nt", "resolverror", "backdoor", "malware", "strings", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ipv4", "iocs", "drop", "review iocs", "found", "ascii text", "pattern match", "mitre att", "beginstring", "null", "refresh", "span", "hybrid", "click", "error", "tools", "look", "verify", "restart", "united", "moved", "passive dns", "urls", "record value", "unknown aaaa", "gmt content", "title", "cookie", "signing defense", "t1553 technique", "subvert trust", "controls learn", "disable", "modify tools", "defense evasion", "t1562 technique", "rdap", "domain database", "dap domain", "datab", "database", "array", "content", "ascii", "form", "initial access", "execution", "present aug", "present jul", "present nov", "present oct", "ip address", "command decode", "suricata ipv4", "localappdata", "windir", "openurl c", "programfiles", "edge", "cloudflare", "ssl certificate", "size", "starfield", "accept", "path", "general", "local", "hostname add", "pulse pulses", "read c", "port", "destination", "rgba", "unicode text", "medium", "unknown", "code", "write", "pecompact", "packer", "delphi", "win32", "persistence", "crash", "next", "china unknown", "chrome", "internal server", "next associated", "ipv4 add", "trojandropper", "date", "domain", "search", "domain add", "certificate", "next http", "scans show", "found title", "head body", "hostname", "files", "files ip", "address", "location united", "asn asnone", "present feb", "present jun", "unknown ns", "internet", "emails", "present sep", "show", "memcommit", "gapd5d", "key0", "packing t1045", "filehash", "sha1 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "mirai", "json", "total", "delete", "win64", "url http", "http", "related nids", "files location", "flag united", "gmt cache", "pulse submit", "url analysis", "verdict", "win32dh", "reverse dns", "america flag", "worm", "warehouse mgmt", "built", "retailexperts", "read", "top source", "top destination", "aaaa", "ransom", "trojan", "entries", "singapore", "singapore asn", "as16509", "present mar", "creation date", "contacted", "hostile", "targeting", "whitelisted", "high", "systemroot", "as15169", "copy", "global", "dynamicloader", "directui", "yara rule", "element", "classinfobase", "ccbase", "hwndhost", "windows" ], "references": [ "http://catgirls.foundation/main \u2022 https://spaceship.com/", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2" ], "public": 1, "adversary": "Mirai", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:Linux/DemonBot.Aa!MTB", "display_name": "Backdoor:Linux/DemonBot.Aa!MTB", "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB" }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null }, { "id": "mirai", "display_name": "mirai", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Worm:Win32/Locksky.gen!A", "display_name": "Worm:Win32/Locksky.gen!A", "target": "/malware/Worm:Win32/Locksky.gen!A" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1991, "domain": 428, "hostname": 882, "FileHash-SHA256": 2213, "FileHash-MD5": 675, "FileHash-SHA1": 530, "email": 7, "CIDR": 1, "CVE": 1, "SSLCertFingerprint": 23 }, "indicator_count": 6751, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2ca40b12d7f02af896284", "name": "Exploit Kit - 77.67.27.35 Isolated", "description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com", "modified": "2025-11-04T19:02:34.015000", "created": "2025-10-05T19:42:56.097000", "tags": [ "win32dh", "mxigd4et", "united", "passive dns", "entries", "next associated", "present oct", "win32virut feb", "all ipv4", "pulse pulses", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "evasion att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "null", "refresh", "body", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "information", "whois", "amsterdam", "noordholland", "summary", "as3257 gtt", "bgp looking", "glass", "as3257", "ip transit", "global", "jfif", "clsid", "jpeg image", "windows nt", "gif image", "msie", "rgba", "utf8 unicode", "malware", "copy", "write", "next", "handle", "address range", "cidr", "network name", "allocation type", "assigned pa", "status", "whois server", "ripe ncc", "ripe network" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Hong Kong" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 195, "FileHash-SHA1": 106, "FileHash-SHA256": 254, "URL": 603, "hostname": 256, "domain": 74, "CIDR": 3, "email": 2 }, "indicator_count": 1493, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e2b9fd811ffc6684ba25f7", "name": "Isolated DoD now DoW nodes - emotional commentary", "description": "*https://www.sentient.industries/\n*trk.b.jackrogersusa.com\n*http://trk.southerntide.com/\nOTX is auto populating this pulse. Let\u2019s see\u2026", "modified": "2025-11-04T18:01:18.650000", "created": "2025-10-05T18:33:33.277000", "tags": [ "united", "present feb", "present may", "aaaa", "present jul", "passive dns", "ip address", "present dec", "present sep", "present jun", "url https", "url http", "type indicator", "role title", "added active", "related pulses", "germany", "taiwan", "netherlands", "china", "search", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "size", "pattern match", "mitre att", "ck id", "null", "refresh", "body", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "filehashmd5", "hostname", "filehashsha256", "types of", "indicator role", "title added", "active related", "pulses url", "ruby", "jeffrey reimer", "target", "tsara", "information", "capture", "gather victim", "report spam", "kill targets", "created", "starfield", "show technique", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1180", "name": "Screensaver", "display_name": "T1180 - Screensaver" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1333, "domain": 355, "URL": 5874, "hostname": 1066, "FileHash-SHA1": 101, "FileHash-MD5": 88, "SSLCertFingerprint": 2 }, "indicator_count": 8819, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68beb866c8ed898ed0ece438", "name": "BlackieVirus . Expanded- Apple", "description": "", "modified": "2025-10-08T10:00:30.227000", "created": "2025-09-08T11:05:10.064000", "tags": [ "present may", "present apr", "unknown ns", "present sep", "unknown aaaa", "present jun", "present dec", "passive dns", "ip address", "virtool", "win32cve sep", "trojan", "mtb sep", "ipv4", "urls", "trojanspy", "united states", "dynamicloader", "ms windows", "observed dns", "query", "windows nt", "wow64", "khtml", "gecko", "pe32", "write", "media", "malware", "suspicious", "learn", "ck id", "name tactics", "informative", "command", "defense evasion", "adversaries", "spawns", "t1204 user", "mitre att", "ck matrix", "null", "error", "click", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "apple", "entries", "write c", "defender", "tencent", "hostname add", "pulse submit", "url analysis", "present jul", "present mar", "present oct", "saudi arabia", "united", "present feb", "creation date", "search", "title", "date", "botnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Win.Trojan.Filerepmalware-10008115-0", "display_name": "Win.Trojan.Filerepmalware-10008115-0", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 951, "hostname": 1766, "URL": 4969, "FileHash-MD5": 337, "FileHash-SHA1": 317, "FileHash-SHA256": 4296, "CVE": 1, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 12639, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a23eef53f1124e8dc273fc", "name": "Sign in to your account - Anorocuriv", "description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/", "modified": "2025-09-16T20:00:00.565000", "created": "2025-08-17T20:43:27.502000", "tags": [ "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "status", "msie", "chrome", "passive dns", "urls", "date", "pulse pulses", "files", "domain", "files ip", "body", "http", "hostname", "files domain", "present jan", "present dec", "united", "present aug", "present jun", "unknown aaaa", "present mar", "present may", "present feb", "present jul", "error", "a domains", "gmt content", "accept encoding", "config nocache", "hostname add", "pulse submit", "content type", "certificate", "ip address", "cookie", "mita", "next associated", "please", "x msedge", "ipv4 add", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "mitre att", "ascii text", "null", "click", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "adversaries", "ssl certificate", "logo", "av detection", "default browser", "guest system", "professional", "falcon sandbox", "response risk", "ck techniques", "detection", "show process", "prefetch8", "windows nt", "win64", "khtml", "gecko", "post collect", "microsoft edge", "nota", "brand", "class", "facebook", "ascii", "hex dump", "extraction", "failed", "data upload", "pul data", "enter", "s data", "type", "extr error", "href", "mask", "extra", "uta support", "include review", "exclude sugges", "find", "wow64", "show", "observed dns", "query", "unknown", "virtool", "copy", "write", "defender", "expiro", "malware", "next", "lowfi", "hookwowlow dec", "mtb jan", "mtb nov", "hookwowlow nov", "trojan", "trojandropper", "http request", "delete", "yara detections", "pe exe", "dll windows", "minimal http", "february", "guard", "alerts", "analysis date", "file score", "detections alf", "detections http", "http executable", "retrieved", "location united", "america flag", "america asn", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 853, "hostname": 1835, "URL": 7127, "email": 3, "FileHash-SHA256": 1470, "FileHash-MD5": 293, "FileHash-SHA1": 284, "SSLCertFingerprint": 426, "CVE": 1 }, "indicator_count": 12292, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a0cb6a89a10d13623a0018", "name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet", "description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink", "modified": "2025-09-15T16:04:47.043000", "created": "2025-08-16T18:18:18.657000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "entries", "httponly", "samesitelax", "read c", "medium", "rgba", "unicode", "port", "memcommit", "delete", "next", "dock", "write", "execution", "present aug", "united", "ip address", "name servers", "unknown ns", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "show technique", "ck matrix", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "href", "size", "t1480 execution", "file defense", "ascii text", "trojan", "passive dns", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "urls", "files", "location united", "ipv4", "url analysis", "america flag", "america asn", "backdoor", "win32", "malware", "date", "domain", "segoe ui", "a domains", "security tls", "san jose", "asn8075", "reverse dns", "software", "resource hash", "general full", "status", "emails", "expiration date", "asp", "microsoft oem", "found", "running webserver", "netherlands", "creation date", "aaaa", "certificate", "protocol h2", "name value", "hash", "present jun", "present apr", "moved", "control att", "t1573 encrypted", "channel command", "decrypted ssl", "runtime process", "appdata", "windows nt", "svg scalable", "patch", "internal", "core", "high", "tcp syn", "icmp traffic", "dns query", "av detections", "ashburn", "ai device id", "telnet", "windows script", "microsoft", "host", "yara detections", "pdb path", "pe resource", "script host", "test", "hostname add", "files ip", "domains", "hashes", "ireland", "mtb jun", "mtb may", "device local", "remotewd", "nemtih", "url add", "http", "hostname", "files domain", "files related", "pulses otx", "present jul", "domain add", "colorado", "quasi", "contracts", "botnet", "remote access", "virginia", "c++", "hacking", "monitored target", "silencing campaign", "audio recording", "cameras", "full service", "tactics" ], "references": [ "Handled by Lumen Technologies | What kind of darkness is this?", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "dev.myhpnmedicaid.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://dotnet.microsoft.com/en-us/apps/aspnet", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Trojan:Win32/Daws", "display_name": "Trojan:Win32/Daws", "target": "/malware/Trojan:Win32/Daws" }, { "id": "ELF:Mirai-ATI", "display_name": "ELF:Mirai-ATI", "target": null }, { "id": "Trojan:Win32/IRCbot", "display_name": "Trojan:Win32/IRCbot", "target": "/malware/Trojan:Win32/IRCbot" }, { "id": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" } ], "industries": [ "Technology", "Telecommunications", "Contracts", "Government", "Finance", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4880, "domain": 575, "hostname": 1419, "FileHash-SHA256": 1745, "FileHash-MD5": 284, "FileHash-SHA1": 263, "email": 5, "CVE": 1 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d7fd544aa8cf483b02d5c", "name": "Sinkhole | Win32/Dofoil.R CnC Beacon", "description": "#LowFI:VBExpensiveLoop\n*Worm:Win32/Gamarue [Static Pe Anomaly \u2022\nContains Pe Overlay \u2022\nBinary Yara]\n- Win32/Dofoil.R CnC Beacon |\nAlerts:\n\u2022 suspicious_iocontrol_codes\n\u2022 physical_drive_access", "modified": "2025-09-13T06:02:44.359000", "created": "2025-08-14T06:19:01.666000", "tags": [ "lowfi", "united", "entries", "passive dns", "open ports", "next associated", "ipv4", "pulse pulses", "urls", "files", "domain", "address", "creation date", "name servers", "date", "hostname add", "dynamicloader", "medium", "fake", "high", "post", "show", "search", "observed http", "reg add", "copy", "write", "june", "malware", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "ascii text", "mitre att", "ck id", "null", "error", "click", "body", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "mask", "generator" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 180, "FileHash-SHA256": 458, "URL": 436, "domain": 69, "hostname": 156, "email": 1, "SSLCertFingerprint": 9 }, "indicator_count": 1484, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d5115ad786de4ff048e5b", "name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker", "description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access", "modified": "2025-09-13T02:00:42.729000", "created": "2025-08-14T02:59:33.036000", "tags": [ "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "present sep", "united", "present aug", "present jul", "present jun", "moved", "unknown ns", "present may", "present apr", "passive dns", "date", "encrypt", "body", "cookie", "gmt server", "content type", "dynamicloader", "medium", "x17x03x01", "download studio", "high", "read c", "show", "windows", "copy", "powershell", "write", "anomaly", "next", "unknown", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "yara detections", "delphi", "codeoverlap", "win32", "rgba", "memcommit", "delete", "png image", "hash", "dock", "execution", "malware", "wine emulator", "dynamic", "msie", "windows nt", "wow64", "slcc2", "media center", "capture", "persistence", "sha256", "submitted", "copy md5", "copy sha1", "copy sha256", "sha1", "script", "mitre att", "ck id", "show technique", "ck matrix", "null", "august", "span", "refresh", "meta", "mirai", "february", "april", "june", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "caribe", "rest", "accept", "friday", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6211, "domain": 682, "hostname": 1661, "FileHash-MD5": 117, "FileHash-SHA1": 100, "FileHash-SHA256": 1386, "SSLCertFingerprint": 5 }, "indicator_count": 10162, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d14258dd07e26a3bb1d46", "name": "PalantirFoundry.com (?) Multiple Remote Controlled Devices", "description": "Hacking.\nI\u2019m not sure if this is masquerading or not yet. Anything with \u2018PalantirFoundry.com\u2019 redirects to actual Palanrir login. Multiple users. Potentially 5000+ devices included in pulse. All monitored targets.", "modified": "2025-09-12T22:00:43.252000", "created": "2025-08-13T22:39:33.511000", "tags": [ "passive dns", "urls", "files", "ip address", "asn as16509", "less whois", "registrar", "unknown related", "servers", "status", "hostname", "domain", "files ip", "address", "united", "unknown ns", "a domains", "search", "script urls", "authority", "record value", "service", "mirai", "cloud provider", "reverse dns", "sydney", "australia asn", "as16509", "dns resolutions", "related tags", "none indicator", "write c", "mozilla", "nsisinetc", "show", "medium", "entries", "high", "http", "delete", "write", "malware", "data upload", "ms windows", "intel", "pe32", "lowfi", "next", "showing", "present feb", "present jun", "present dec", "present aug", "present may", "present jul", "moved", "media", "segoe ui", "ipv4", "url analysis", "location united", "error", "regopenkeyexa", "regsetvalueexa", "read c", "port", "destination", "regdword", "windows nt", "hostile", "win32", "unknown", "delphi", "persistence", "execution", "extraction", "l data", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "type", "please", "pulse submit", "url add", "pulse pulses", "related nids", "files location", "flag united", "ddos", "next associated", "files show", "date hash", "avast avg", "virtool", "downloader", "dadobra", "date", "certificate", "montreal", "canada", "asn16509", "amazon02", "screenshot", "title login", "palantir", "page url", "history https", "evasion att", "remember", "label", "button", "form", "general full", "url https", "protocol h2", "security tls", "software envoy", "value", "domainpath name", "header value", "self", "copy md5", "copy sha1", "copy sha256", "returnur", "south korea", "as9318 sk", "sqlite rollback", "journal", "as701 verizon", "bittorrent dht", "win64", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFi:LinkularNSIS", "display_name": "#LowFi:LinkularNSIS", "target": null }, { "id": "#Lowfi:HSTR:Win32/ObfuscatorDynMemJmpAPI", "display_name": "#Lowfi:HSTR:Win32/ObfuscatorDynMemJmpAPI", "target": null }, { "id": "Fareit", "display_name": "Fareit", "target": null }, { "id": "TrojanDownloader:Win32/Dadobra.E", "display_name": "TrojanDownloader:Win32/Dadobra.E", "target": "/malware/TrojanDownloader:Win32/Dadobra.E" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3149, "domain": 1304, "URL": 5269, "FileHash-SHA256": 968, "FileHash-SHA1": 206, "email": 7, "FileHash-MD5": 274, "SSLCertFingerprint": 1, "CVE": 1 }, "indicator_count": 11179, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main", "Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http", "applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com", "http://cve.chainguard.dev", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/", "TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "marriott-control-prd.accenture.cn", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "Incredibly false information, white screens , pink screens and chat erasure", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)", "Indicators seen may have affected a few OTX users. Is ongoing", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv", "https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://otx.alienvault.com/pulse/6976d6afd744c55bd596ed6e", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d", "IDS Detections Trojan.Generic.KDV.545753 Checkin", "AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "iamrobert.com Y.A.S.", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "IDS: Observed Suspicious UA (Hello, World)", "154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc", "https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "afraid.org | evergreen.afraid.org", "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "Alerts: exe_appdata injection_process_search privilege_luid_check process_interest", "URLSpirit Spyware", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh", "Device targeted with l RMS Modules by male in Denver, Co", "https://pegasus.pahamify.com/", "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5", "Connects to all NEW targets key contacts main targets contacts.", "TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey", "https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Luxury Apartments and Townhome communities do use Foundry Palantir", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "162.159.134.42 \u2022 https://cellebrite.com/", "Crowdsourced IDS Below:", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "simswap.in (possible Mirai or relationship to)", "zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Believed to be originating from Germany and Russia", "http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP", "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp", "tv.apple.com", "Foundry Palantir still has a presence in Colorado", "apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Some Colorado communities have been taken over by the State Government", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html", "22.hio52.r.cloudfront.net", "http://help.aiseesoft.jp/video-converter-ultimate/", "https://bot.dev.talos-systems.io/", "polling.portal.gov.bd", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://help.aiseesoft.jp/blu-ray-player", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "http://sissy.com/default - Adult Content", "BGP Hurricane Electric seen", "https://www.fidelity.com/ https://www.fidelity.com/", "https://grok-chatbot.tapnetic.pro/$", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://meumundogay-com.sexogratis.page/locker", "prometheus.netmaker.vonnue.dev", "66.33.60.130 command_and_control", "cdn.rss.applemarketingtools.com", "applev2.platform.int.iberia.es \u2022 applestyle.cz \u2022 66.196.118.33", "https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "http://appleid.app", "apple-business.cancom.at", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "http://freedns.afraid.org/images/apple.gif", "195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://action.aiseesoft.jp/itunes.php", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary", "socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov", "developer.x.com", "https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "http://watchhers.net/index.php", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "https://api.manus.im/api/oauth2_callback/apple", "IDS Detections Gh0stCringe CnC Activity M2", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "Loads modules at runtime Looks up procedures from modules", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content", "http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP", "https://apple.btprmjo.cc/", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "https://www.justice.gov/opa/pr/departmen.t", "192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "http://help.aiseesoft.jp/fonelab/", "Many indicators point to an IP this block is on.", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.", "marriott-datacenter-prd.accenture.cn", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97", "mta6.am0.yahoodns.net \u2022 appleatwork.noventiq.my", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht", "http://www.anyxxxtube.net/search-porn/ - Adult Content", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "target.dropboxbusiness.com", "https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "I need some help.", "server-3-164-143-102.nrt20.r.cloudfront.net", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.anyxxxtube.net/search-porn/", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Alerts: console_output antivm_memory_available pe_features", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "Alerts: packer_unknown", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org Domain kinkfuck.com \u2022 nobodycares.art", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/68e72a3b96eaf61daf0eb13f", "https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Is the family allowed to have a funeral for Tsara or print an obituary", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "NtProtectVirtualMemory@NTDLL.DLL", "TAGS: mtb yara name servers name tactics network traffic new browser next associated next", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "ET SMTP Abuseat.org Block Message 85.218.0.110 192.168.56.101", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "https://dns.google/resolve?name=SELECT", "Unique rule identifier: This rule belongs to a private collection.", "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "podcasts.apple.com \u2022 23.34.32.21", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan", "ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot", "Target was monitored in store and followed home needed to stop multiple times , change routes.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "2012647\tDropbox.com Offsite File Backup in Use", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com", "Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "crypto-pool.fr", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "https://codesearch.criteois.com/opengrok/search?q=", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "Hours after files were deemed malicious. We powered on targeted Smart TV", "http://firstmile.digitecgalaxus.ch", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "swarm-foundry.com", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Location search was used to find device users address. It\u2019s with me.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo", "https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/", "jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP", "api.acumatica.flex.redteam.com", "By remote view of NEW targeys view, all key calls are routed through him.", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "fastwebnet.it | Cellebrite White Label Spyware Service", "https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com", "Address shows an place of origin: Broomfield , Co", "putrhnwl.exe", "https://goo.gl/9p2vKq", "IDS Detections: Suspicious Activity potential UPnProxy", "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp", "https://dotnet.microsoft.com/en-us/apps/aspnet", "Yara Detections: Armadillov171", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "https://communityinviter.com/apps/cloudfoundry/cloud-foundry", "Antivirus Detections: Win.Malware.Pits-10035540-0", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "Yara Detections: is__elf , ECHOBOT", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "TAGS: yara niggercat none file null object os x outbound passive dns path pattern match", "ocn.ad.jp - Registrant Org: NTT Communications Corporation", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "target.id \u2022 tostring.call \u2022 title.search", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "Malicious activity seen since a Pulse regarding school outage.", "Any.run", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "We have foot soldiers. Be aware", "Alerts: dead_host network_icmp nolookup_communication persistence_ads creates_largekey", "http://test-firstmile.digitecgalaxus.ch", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup", "httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "DivX Player 7.2.0, DivX Web Player 1.5.0 OriginalFilename: bundle-ovs.exe", "https://hybrid-analysis.com/sample/64e591d43f920a5194806bba9da40e0344db5333cd773da4df4f27259222529d/692a7e373e637b291e0a0957", "https://api.strem.io/api/addonCollectionGet%", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master", "us-gov-west-1.gov.reveal-global.com", "http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "consolefoundry.date \u2022 http://consolefoundry.date", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "Malicious IP Contacted: 69.42.215.252", "Prometheus - Alien God? Morality through the eyes of the immoral", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Target agreed and complied with all lie detector measures.", "Denver, US 80211 http://library.verizon.onereach.ai", "prometheus.dev.aws.finoa.io", "http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt", "It\u2019s so out of hand,m for 16 people.", "https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://inbound-message-listener-temporary-testing.palantirfoundry.com", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 37.115.100.238", "TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "search.roi.ros.gov.uk", "https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp", "Invalid IP (052.105.023.053)", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "appleaustralia.com", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "ET POLICY PE EXE or DLL Windows file download HTTP 95.69.199.116 192.168.56.101", "Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert", "http://2026c1ff-ede2-494c-9a91-8867e50d918d.applestyle.cz/", "nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "I would post his public information. It may be unwise.", "Information gathered equals 2 pulses. Pulse (1) included", "https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9", "jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com", "John 12:17", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "https://otx.alienvault.com/indicator/file/c3ea30ad1090fb9f1de847eaf0b68e6f42a58147d3497628d4d7adbf1e0e0966", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com", "Pornhub to your phone. Dumping or by request?", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise", "asp.net domain pointer", "https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content", "3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "Antivirus Detections: Trojan:Win32/Dorv.A", "https://www.meritshealth.com/ Defense.Gov Mobility Co? ", "IDS Detections: Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "A man claiming to have the name Sebastian is communicating with targets love one", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "https://ww41.porn25.com/", "https://cpcontacts.apple4you.it", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "TAGS: detection detections detections name development att direct dirty dns resolutions domain", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "RECORD VALUE:Org \u2022 FastWeb: S.p.a. Status: OK", "http://alohatube.xyz/search/tsara-brashears", "TAGS: pyspark python python initiated quic ransom recipes record value redacted for", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "Ransomware File Modifications Exec Crash", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "Yara: Detections Tofsee", "Targets associated warned. Not very open to advice.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Pahamify Pegasus", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network", "No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.", "Yara: Detections Delphi", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content", "dev.myhpnmedicaid.com", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content", "214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "fmx32.aig.com \u2022 167.230.105.81", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "Other constitutional rights and privileges written in law where severe courses of action is allowed", "TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections", "132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "This pulse is so huge it\u2019s a mess. Will break down.", "https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169", "TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "https://bhive.nectar.social/rKvoMY", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "http://partners.spycloud.com", "1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam", "Contains Pe Overlay Queries Locale Api Language Check Registry", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "Apple - 162.55.158.153", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "I am very upset. Whoever is doing this is sick.", "http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "FileDescription: DivX OVS Bundle, L:EN;ES;DE;FR;JA;PT;ZH-CN;ZH-TW, DivX Codec 6.9.1,", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "Alerts: cape_detected_threat", "Victims have lost financial assets, jobs, vehicles", "Subject: DE Certificate Subject: Berlin Certificate Subject", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "asp.bet", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "ET DNS DNS Query to a .tk domain - Likey", "Antivirus Detections: Win.Trojan.Agent-1190546", "http://emrd.gov.bd/dead.php", "Domains Contacted: download.divx.com dns.msftncsi.com versions.divx.com", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "skillsfuture.gov.sg app.pr-21.apprenticeships-vic-gov-au.sdp4.sdp.vic.gov.au", "equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact", "https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "1.bing.com.cn", "www.phantomcameras.cn", "Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado", "Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "quecompegasune.tk \u2022 hipicapegaso.com", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "aotx.alienvault.com (aotx.?)", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a", "http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/", "https://brandyallen.com/2022/11/23/sexy", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "ET INFO Exectuable Download from dotted-quad Host 192.168.56.101 95.69.199.116", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "http://deposito.hostance.net/dialer/", "Hybrid Analysis", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "https://twitter.com/PORNO_SEXYBABES", "www.joewa.com", "https://176.113.115.136/ohhiiiii/", "Handled by Lumen Technologies | What kind of darkness is this?", "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2", "TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "ww.google.com.uy", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "64.38.232.180 - Adult Content IP", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Nippon Telegraph and Telephone Corporation one governmental now privated", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "computersandsoftware \u2022 portal sites \u2022 search engines and portals", "Email: d4@thinkman.com", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "Page Title: \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "http://spiritzuridgerunelahubcloudgusparkx.rest/", "http://mincom.gov.bd/dead.php", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "https://hybrid-analysis.com/sample/afe4977aae088e0c74e9acd2137d9ac11f171780399010cc1197adfab926bbc2/691924001d6dc4fa2d04d0b2", "apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net", "http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.", "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d", "Follow up need. This is a serious financial crime following the victims.", "IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "UrlVoid", "Alerts: dead_host network_icmp tcp_by", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "https://polling.portal.gov.bd/js/npc.script.js", "Accurately tipped about air travel safety. In past. Proven true.", "http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP", "IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "MITRE ATT&CK (T1057) Monitoring Target/s. Can be reviewed in Hybrid-Analysis sample.", "http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022", "Domains Contacted: pitfall.divx.com www.google.com", "Alerts: network_icmp network_http allocates_rwx antivm_disk_size creates_exe creates_shortcut", "IP\u2019s Contacted : 54.230.129.165", "Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.", "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "git.spywarewatchdog.org", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "Foundry Foot Soldiers are still in Colorado targeting innocents", "https://fs25.mygamesteam.com/download/underground-parking/", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Yara Detections BackdoorWin32Simda", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "76.76.21.61 command_and_control", "accenture.cn", "Domains Contacted api.nuget.org", "https://prometheus-pushgateway-internal.preview.tp-staging.com/", "www.anyxxxtube.net - Adult Content", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676", "https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672", "http://netuser.joymeng.com/charge_apple/notify", "Most of the people doing this are 50\u2019s plus, plus. There are youngsters but many grey haired , grandparents", "http://cabinet.gov.bd/dead.php", "pornhub.com\t \u2022 www.pornhub.com", "internationalfrontier.com", "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key", "TAGS: sample analysis se domains search security quic add source level span spawns spy", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.", "http://www.cityofvacaville.gov/accessvacaville dev.login.theblackpuma.com", "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "https://es.pornhat.com/models/the-sex-creator/", "If someone is believed to be a threat they have right to due process.", "https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5", "http://remote.edikamin.com/", "http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "Yara Detections: Nullsoft_NSIS", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "Alerts: dumped_buffer network_http antisandbox_sleep antivm_network_adapters antivm_queries_computername", "http://consolefoundry.date/one/gate.php", "palantir-staging.staging.candidate.app.paulsjob.ai", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "ETPRO TROJAN Win32/Kryptik.BLYP Checkin 192.168.56.101 212.2.128.108", "gitea.neconsside.com \u2022 http://f7194.vip/login", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "https://www.colorfulbox.jp/", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "Potentially Pegasus related . Found to be affecting an IOS device", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "Multiple attackers. Don\u2019t believe me, look at the pulses. Caged in by male with deauther watch.", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250", "The older the smarter the way better. These people are brilliant , ruthless and dangerous", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "https://www.passcreator.com/en/apple-wallet-passes", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/", "Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://hello.extendedstay.com/api/mailings/unsubscribe/PMRGSZBCHIYTGOBWGYYTOLBCN5ZGOIR2EI2DGYZVMQ3DMNZNGY3GEYZNGQ2GIMBNMEYGENBNGQZDMMZYGA3DGZRZGI4SELBCOZSXE43JN5XCEORCGQRCYITTNFTSEORCHAZEKSCRNZ3UWTKHLA4US2BWNFVWK2SKKNXHAZTBO5RGOY2FGFYUOTTGNRJHQ5RZFU4TAPJCPU", "https://signin-pro-azure.crayon.com/signin-oidc", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "Google_Chrome_64bit_v136.0.7103.49.exe", "Verification failure observed in automated verification handlers during sandbox replay.", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "If something curious is found on privatelybowen property we have a constitutional right to examine it.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile", "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com", "TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Definitely requires further research", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "Alerts: stealth_window packer_entropy uses_windows_utilities", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn", "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Urlscan", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys", "Attempts to clip target at high rate of speed.Seen again at her residence in October", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf", "js-cdn.music.apple.com \u2022 23.78.51.170", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "http://catgirls.foundation/main \u2022 https://spaceship.com/", "https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "IDS Detections: Domain (whatismyipaddress .com in HTTP Host)", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://podcasts.apple.com/us/podcast/lazarus", "165.206.254.134 \u2022 Description: CC=US ASN=AS6122", "mailbox.co.za", "http://help.aiseesoft.jp/total-video-converter", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "Yara Detections: MS_Visual_Basic_6_0", "ET TROJAN Possible Kelihos.F EXE Download Common Structure 192.168.56.101 95.69.199.116", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "ASN AS27064 dod network information center", "Can the DoD no questions asked target a SA victim", "AVDetections: Patched3_c.AKRV", "http://titasgas.portal.gov.bd/dead.php", "TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "OTX AlienVault", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "Crowdsourced SIGMA Below:", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "Tipped of new looming airline threats", "moon-foundry.com shoparc.palantirfoundry.com Relentless ksuite.ikm.gov.in", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members", "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "www.anyxxxtube.net - Adult Content IP", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "Alerts: queries_programs antivm_queries_computername antivm_memory_available", "dev-app.project-cicada.com \u2022 project-cicada.com", "IDS: TLS Handshake Failure", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "www.apple.com \u2022 23.34.32.199", "aohhpesayw.lawsonengineers.co.", "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 95.69.199.116 192.168.56.101", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "campdeadwood2026.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "alohatube.xyz", "ET TROJAN Suspicious double Server Header", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "http://help.aiseesoft.jp/total-video-converter/", "Uses code, no phone calls. Connected via instagram.", "http://www.internationalfrontier.com", "There is fear in silence or speaking out", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "https://cellebrite.com/en/federal-government/", "Tulach.cc", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "spywarewatchdog.org", "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Attacker being used by several legal entities attacking a target\u2019s family", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "Delete service is being used on this Threat service", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "https://discussions.apple.com/thread/255214328?sortBy=rank", "Statutory Masking Enabled - a domain registrar is hiding the public contact information for a domains", "http://git.spywarewatchdog.org", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP", "205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company", "https://glare.pali om. \u2022 http://engage.palantirfou?", "Pegasus Indicators deleted during pulse", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com", "https://alohatube.xyz/search/tsara-brashears", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "registrant in its WHOIS record, often due to regulations like GDPR or ICANN policies.", "www.killer333.club So I\u2019m right.", "Alerts: infostealer_cookies antiav_detectfile", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "Needs to be sorted. Actively being exploited on US", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "pegasuspartners.followupboss.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "Matches rule ET POLICY External IP Lookup ipinfo.io", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "https://eliyporasa - Adult Content", "https://polling.portal.gov.bd/js/npop.script.js", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God.", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "http://truefoundry.prodigaltech.com/", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Mirai", "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)" ], "malware_families": [ "Tofsee", "Win.packed.dapato-10021645-0", "Pws:win32/qqpass", "Inject.brdv", "Malwarex-gen", "Win32:trojanx-gen\\ [trj]", "Unix.trojan.mirai", "Worm:win32/locksky.gen!a", "Neshta", "Bible gateway", "Worm:win32/mofksys.rnd!mtb", "Trojan:win32/pariham.a", "Ddos:linux/lightaidra", "Trojan:win32/vflooder", "Other malware", "Formbook", "Cve-2024-6387", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Backdoor:linux/demonbot", "Racoon stealer", "Win.trojan.cycbot-1584", "Mirai (elf)", "Win32/backdoorx", "Win.trojan.agent", "Win.trojan.zegost", "Win.trojan.rootkit-4668", "#virtool:win32/obfuscator.adb", "Warzonerat - s0670", "Win.trojan.blacknetrat-7838854-0", "Crypt2.azdi", "Trojan:win32/salgorea", "Virtool:win32/autinject.cz!bit", "Win.dropper.lokibot-10010685-0", "Trojan:win32/wacatac", "Trojan.downloader12.43161", "Appleservice", "Unix.trojan.mirai-7669677-0", "Trojan:win32/ircbot", "Trojandownloader:win32/cutwail.bs", "Ransomexx", "Win.trojan.tofsee-7102058-0", "Unknown malware \u2018can't access file\u2019", "Worm:win32/autorun.xfv", "Win.trojan.agent-316098", "Wormwin32/mofksys.rnd!mtb", "Noname057", "Win.packed.remcos-10024510-0", "Swort", "Win.trojan.emotet-9850453-0", "Backdoor:win32/tofsee.t", "Win.trojan.vbgeneric-6735875-0", "Pykspa.c", "Mirai sim swap", "Win.dropper.gh0strat-10028210-0", "Custom malware", "Trojandropper:win32/qhost", "Nanocore rat", "Trojanspy", "Heur/unsec", "Alf:heraklezeval:trojan:win32/eqtonex.f", "#lowfidetectsvmware", "Win32:androp", "Win.malware.barys-6840738-0", "Win.packed.usteal-7531303-0", "Trojandownloader:win32/umbald.a", "Trojandropper:win32/muldrop", "Cve 2007695", "Win.trojan.fenomengame-8", "Trojan:msil/ursu.kp", "Virtool:win32/obfuscator.jm", "Cve-2018-10562", "Trojandownloader:win32/banload.d", "Alf:heraklezeval:pua:win32/spyrixkeylogger", "Mydoom", "#lowfi:tool:win32/vbstoexev2e", "Dialer", "Unix.trojan.gafgyt-698115", "Banload", "Win32:agent-alxe\\ [rtk]", "Win.trojan.dcrat-10039889-0", "Virtool:win32/injector.gen!bq", "Trojan:win32/daws", "Tsunami-6981155-0", "Trojan:win32/danabot", "Worm:win32/autorun!atmn", "Trojan:win32/salgorea.c!mtb", "Trojan:win32/aenjaris.al!bit", "Elf:mirai-ati", "#lowfi:linkularnsis", "Trojan:win32/tiggre!rfn", "Ddos:linux/gafgyt.ya!mtb", "Fareit", "Win.malware.hd0kzai-9985588-0", "Trojan:win32/miner.ka!mtb", "Win.trojan.filerepmalware-10008115-0", "Trojandropper:win32/muldrop.v!mtb", "Unruy", "Ransomware/win.stop.r4529", "Malware", "Win.dropper.nanocore-10021490-0", "Wannacry kill switch", "Win32:cabmod\\ [drp]", "Alf:heraklezeval:trojan:win32/amsitamper.b", "Emotet", "Silk road", "Bazaar loader", "Worm:win32/yuner.a", "Win.malware.msilperseus-6989564-0", "Trojan:win32/emotet.pc!mtb", "Kentuchy", "Sigur", "Elf:ddos-s\\ [trj]", "Trojandownloader:win32/upatre.a", "Psw.sinowal.x", "Zegost", "4-0 win.malware.pits-10035540-0", "Backdoor:win32/kanav.a", "Cve-2025-20393", "Trojandropper:win32/vb.il", "Cymt", "Maltiverse", "Win.virus.polyransom-5704625-0", "Psw:win32/vb.cu", "Node traffic", "Trojan:win32/aptdrop.ru", "Crypt3.chzw", "Pahamify pegasus", "Crypt3.boqd\t\t inject2.bhbw", "Der zugriff", "Backdoor:linux/mirai", "Cve-2023-22518", "Trojan:win32/glupteba.mt!mtb", "Njrat - s0385", "Alf:heraklezeval:trojan:msil/gravityrat", "Trojan:win32/zombie.a", "Pegasus", "Worm:win32/autorun.xxy!bit", "Alf:heraklezeval:pua:win32/keygen", "Win.trojan.emotet-9850453", "Win.trojan.fenomengame-14", "Trojan.sagnt/r011c0dfs24", "Trojan:win32/blihan.a", "Trojan:win32/agent.ag!mtb", "Androp", "Trojanspy:win32/nivdort.cw", "Worm:win32/autorun.b", "Crypt3.bxvc", "Trojan:win32/diamin.f", "Win.trojan.dialog-9873788-0", "Tr", "Virus:win95/cerebrus", "Win32:evo-gen", "Alf:heraklezeval:trojan:win32/clipbanker", "Ghandi", "Win.trojan.generic", "Redline", "Inject2.bive", "Alf:heraklezeval:ransom:win32/cve", "Win32:trojan-gen", "Trojan:bat/musecador", "Kanna", "Quasar rat", "Autoit", "Backdoor:win32/fynloski.a", "#lowfi:hstr:win32/obfuscatordynmemjmpapi", "Win.packer.pkr_ce1a-9980177-0", "Trojan:win32/qqpass", "Nids", "Et trojan", "Et", "Trojan:win32/ausiv!rfn", "Tel:msil/dlsocconsend", "Alf:jasyp:trojan:win32/adialer", "Crypt3.bxmj", "Trojan:pdf/phish.rr!mtb", ": alf:trojan:msil/azorult.ac!", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Ransom:win32/crowti.a", "Trojan:win32/conbea!rfn", "Pandex!gen1", "Patched3_c.akrv", "Sova", "Worm:win32/lightmoon.h", "Unix.trojan.gafgyt-6981154-0", "Systweak", "Crypt3.bmvu", "Win64:trojan-gen", "Trojan:win32/dorv.a", "Win.packed.malwarex-9792170-0", "Code overlap", "Win.malware.incredimail-6804483-0", "Win32:malware-gen", "Apnic", "Win32/trickler", "Backdoor:linux/demonbot.aa!mtb", "!#addscopy-tostartup", "Autorunit", "Trojandropper:win32/hupigon.gen!a", "Zergeca", "Etpro", "Detplock", "Mirai", "Win.trojan.ramnit-1847", "Lumen ip", "Alf:jasyp:trojan:win32/ircbot!atmn", "Worm:vbs/dapato", "Trojandownloader:win32/dadobra.e", "Win.malware.salat-10058846-0", "Urlspirit", "Virtool:win32/obfuscator.k", "Alf:trojan:win32/cryptwrapper.rt!mtb", "Muldrop", "Win.trojan.gh0strat-9955419-1", "Trojandownloader:win32/upatre.aa", "Dnstrojan", "Win32:malob-bx", "Kraddare", "Trojan:win32/eyestye.t", "Trojan:win32/startpage.aea", "Deathhiddentear (large&small ht) >", "Unix.trojan.tsunami-6981155-0", "Win.packed.generic-9967832-0", "Win.trojan.upatre-3371", "Eternalrocks", "Doc.downloader.emotetred02220-9938909-0" ], "industries": [ "Telecom", "Irs", "Legal", "Military", "Technology", "Contracts", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Government", "Insurance", "Journalists", "Financial", "Ecommerce", "Media", "Defense", "Finance", "Civil society", "Telecommunications" ], "unique_indicators": 539709 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/window.open", "whois": "http://whois.domaintools.com/window.open", "domain": "window.open", "hostname": "www.window.open" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e434769e2a43c088066ca2", "name": "Kraddare \u2022 Agent Tesla \u2022 CVE Jar clone credit octoseek", "description": "", "modified": "2026-04-19T07:36:41.138000", "created": "2026-04-19T01:48:38.335000", "tags": [ "heur", "cisco umbrella", "site", "alexa top", "malware", "million", "xcnfe", "maltiverse", "malware site", "safe site", "malicious", "trojan", "artemis", "vidar", "redline stealer", "raccoon", "keylogger", "riskware", "agent tesla", "remcos", "stealer", "miner", "hacktool", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "detplock", "networm", "win64", "service", "smokeloader", "dropper", "crack", "alexa", "trojanspy", "detection list", "blacklist https", "kyriazhs1975", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "blacklist", "cyber threat", "united", "engineering", "phishing", "covid19", "facebook", "phishing site", "paypal", "njrat", "emotet", "nanocore rat", "meterpreter", "azorult", "download", "msil", "bladabindi", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "cve201711882", "redline", "ssl certificate", "tsara brashears", "cyberstalking", "spyware", "apple ios", "quasar", "ransomware", "malware norad", "cry kill", "attack", "installer", "formbook", "lockbit", "open", "banker", "bazarloader", "core", "ransomexx", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "ascii text", "null", "date", "error", "span", "refresh", "class", "generator", "critical", "body", "look", "verify", "restart", "meta", "hybrid", "general", "click", "strings", "tools", "as141773", "as63932", "moved", "passive dns", "search", "entries", "gmt content", "type", "keep alive", "scan endpoints", "all octoseek", "pulse pulses", "as17806 mango", "blacklist http", "phishtank", "malicious site", "apple", "blockchain", "runescape", "twitter", "qakbot", "asyncrat", "team", "internet storm", "generic", "union", "bazaloader", "media", "generic malware", "hostname", "suppobox", "netwire rc", "installcore", "conduit", "iobit", "mediaget", "outbreak", "acint", "installpack", "phish", "rostpay", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "dapato", "cleaner", "softonic", "encpk", "qbot", "predator", "swrort", "kraddare", "systweak", "dllinject", "driverpack", "iframe", "downldr", "presenoker", "as61317", "asnone united", "urls", "files", "next", "as15169 google", "japan unknown", "as17506 arteria", "as32244 liquid", "as49505", "russia unknown", "expired", "domain", "falcon", "as19969", "ipv4", "ransom", "encrypt", "file", "windows nt", "indicator", "response", "appdata", "gmt contenttype", "png image", "local", "contacted", "fali malicious", "dropped", "communicating", "referrer", "fali contacted", "silk road", "immediate", "cymulate2", "tsara brashears", "malvertizing" ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "ww.google.com.uy", "https://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://polling.portal.gov.bd/js/npc.script.js", "polling.portal.gov.bd", "https://polling.portal.gov.bd/js/npop.script.js", "http://watchhers.net/index.php", "https://brandyallen.com/2022/11/23/sexy", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://park.above.com/jr.php?gz=DjDNgvDQ0WlpBALxevxSvkF3jBH95b5riUvmgFjb1tbPDV06suYFlRcPA34ufLE5UZ8spiM7ya7tRXR8nLUgk920DSaIXniiR5hkoveznG%20mez7OU5R%20HKIczV475LuRwxm3J1pcRSpQcePtF/4aD%20frLO%205mYc0Maj8Z1IwBeAMESc9Gk3BzCkGUHNVeCAZ9vZrQhEeVvN%20QVBAu1boZNJTnvCAP0lB5ebMSP92bFHD/ItyL53LoVDSYWMd64KTNMMJaXE0kZVqQn/%20STriQbrA6cmW3Xj4sAJ3XXEbNNJzTbIvgsy00PlKWInEUK/iXzVecaBsXg3vkUcvkeM3HPPIajaBexXO7ATYz/qTeKAksI9l2IoDAsn0S9BYCTuP8uTYdgJAv0LO%20MkNBOrSqJnFQzTlNxG4NRSP6K4VDWklVPpCwQc/s/AfrwIdLcdrV6CQDLaluG1naOjXDc", "http://nhrc.portal.gov.bd/sites/default/files/files/nhrc.portal.gov.bd/page/348ec5eb_22f8_4754_bb62_6a0d15ba1513/Study-Report-on-Sexual-Offences_Final.pdf", "https://twitter.com/PORNO_SEXYBABES", "https://alohatube.xyz/search/sex-mom-dog-animal", "https://www.colorfulbox.jp/", "Hybrid Analysis", "Any.run", "OTX AlienVault", "Urlscan", "UrlVoid", "http://emrd.gov.bd/dead.php", "http://titasgas.portal.gov.bd/dead.php", "http://mincom.gov.bd/dead.php", "http://cabinet.gov.bd/dead.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia", "Bangladesh" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Racoon Stealer", "display_name": "Racoon Stealer", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Bazaar Loader", "display_name": "Bazaar Loader", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Detplock", "display_name": "Detplock", "target": null }, { "id": "WannaCry Kill Switch", "display_name": "WannaCry Kill Switch", "target": null }, { "id": "Ghandi", "display_name": "Ghandi", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swort", "display_name": "Swort", "target": null }, { "id": "Silk Road", "display_name": "Silk Road", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Worm:VBS/Dapato", "display_name": "Worm:VBS/Dapato", "target": "/malware/Worm:VBS/Dapato" }, { "id": "Kraddare", "display_name": "Kraddare", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" } ], "industries": [], "TLP": "green", "cloned_from": "654a7a53317c717d1f4fee7f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2522, "FileHash-SHA1": 862, "FileHash-SHA256": 2855, "URL": 7963, "domain": 1168, "hostname": 3181, "CVE": 13, "email": 2, "IPv4": 1 }, "indicator_count": 18567, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69afd95e9073ee0f67be8694", "name": "URLSpirit Spyware | Targeted Device attacks | MITM attacks | AI and Browser Attacks", "description": "", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:42:06.133000", "tags": [ "msie", "chrome", "search", "united", "unknown ns", "taiwan unknown", "requested range", "ip address", "taiwan", "title", "tlsv1", "windows nt", "wow64", "slcc2", "media center", "stcalifornia", "lmountain view", "ogoogle llc", "unknown", "encrypt", "malware", "suspicious", "learn", "informative", "ck id", "name tactics", "command", "spawns", "found", "id name", "malicious", "over", "ascii text", "pattern match", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "http", "data upload", "enter scords", "one on", "extraction", "http request", "checkin", "observed dns", "query", "dns query", "domain", "lila windows", "all se", "file version", "product vers", "failed", "included ic", "review iocs", "ic data", "status", "ch ua", "emails", "servers", "for privacy", "record value", "trojan", "pegasus", "body", "palantir", "se antivirus", "ids deted", "domains", "tachnalnav dan", "origin", "pe versio", "include review", "exclude sugges", "stop data", "q search", "product", "contact data", "contact urlspirit", "url http", "hostname", "url https", "stop show", "types", "type", "indicator", "defense evasion", "sha1", "legalcopyngn", "copyugnt zur", "fileversic data", "exclude data", "no expiration", "ipv4", "filehashsha256", "filehashsha1", "filehashmd5", "macintosh", "khtml", "type indicator", "iocs", "sc type", "hong kong", "certificate", "enterprise", "adversaries", "evasion att", "urlspirit", "targeted att", "monitored target", "browser attacks", "ai chat", "next level", "quasi", "apple", "android", "windows" ], "references": [ "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Antivirus Detections: Win.Trojan.Agent-1190546", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "URLSpirit Spyware", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "quecompegasune.tk \u2022 hipicapegaso.com", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Incredibly false information, white screens , pink screens and chat erasure", "Definitely requires further research", "Pegasus Indicators deleted during pulse" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia" ], "malware_families": [ { "id": "URLSpirit", "display_name": "URLSpirit", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Technology", "Government", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 406, "FileHash-SHA1": 391, "FileHash-SHA256": 5770, "URL": 7299, "domain": 1307, "email": 13, "hostname": 2162, "CVE": 3, "SSLCertFingerprint": 45 }, "indicator_count": 17396, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:43.680000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-04-04T16:16:26.128000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "IPv4": 294, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "IPv6": 27, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9978, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.window.open/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.window.open/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776596068.9826481 }