{ "type": "URL", "indicator": "https://www42.debuging.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www42.debuging.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4001571622, "indicator": "https://www42.debuging.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68ec0870475174302c733fa2", "name": "Cyber Crime - Emotet | Tofsee CnC | Targeting \u2022 Streaming \u2022 Stealing", "description": "I\u2019ve heard of mortis.com from a target. It was heavily suggested on targets YouTube homepage. I hadn\u2019t had thought to research link until Friday.\n\n Doing my due diligence I\u2019ve been viewing potential issues targets family member/s may be and his having with technology.\n\nSmart TV is completely hacked. playlist tampering , heavy downloading daily when TV is on , off or unplugged. \n I watched this TV monitored data volume , noted continued suggestions for Mortis.com , \ntouted . Obviously, a threat. YouTuber warns not go in and no one can get in which is insanely stupid. OTX issues,. Several pulse attempts later , constant refreshing and deleting of IoC this is all what remains. Streaming services, webcams and multiple labeled rooms. I have no idea the point of death threats especially since God can mow anyone down. Who promised you another breath? Target seems to be the only person targeted. Multiple Foundry , PayPal Palantir\nLinks , Boeing, JetBlue Twitter , Apple loading issues.", "modified": "2025-11-11T04:02:27.091000", "created": "2025-10-12T19:58:40.472000", "tags": [ "url https", "indicator role", "active related", "united", "ip address", "unknown ns", "x82xd4", "x86xd3", "xa1xf1", "xe8xc2x14", "win32tofsee", "trojan", "win32tofsee att", "ck ids", "t1096", "ntfs file", "service", "united kingdom", "germany", "netherlands", "mortis.com", "dead", "death", "foundry", "paypal", "home visitor", "psalms 37", "trojan", "emotet", "boeing", "apple", "streaming", "kryptik", "myundeadneighbor", "windstream communications llc", "command", "tofsee", "kx81xdbx0f", "wx99xcdx11", "stream", "write", "malware", "tsara brashears", "regsetvalueexa", "malware", "win32", "persistence", "execution", "push", "shellexecuteexw", "windows", "botnet", "backdoor", "writeconsolew", "displayname", "sddl", "hash", "ip address", "ssl certificate", "spawns", "initial access", "adversaries", "name tactics", "t1031", "registry", "dock", "suspicious", "learn", "phishing att", "infection", "commandand_and_control", "informative", "jetblue", "porn", "keylogger", "remote keylogger", "parklogic", "parking crew", "park pages", "cyber crime", "data brokers", "info stealers", "password", "masquerading", "discord", "sophisticated", "dga domains", "pit", "rotor", "hello", "targeting", "games" ], "references": [ "mortis.com", "I unintentionally made the first pulse Public.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "assassinationmarkets.com", "https://id.security.trackid", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/Emotet.KDS!MTB", "display_name": "Trojan:Win32/Emotet.KDS!MTB", "target": "/malware/Trojan:Win32/Emotet.KDS!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Tofsee-6880878-0", "display_name": "Win.Malware.Tofsee-6880878-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Kryptik-PLL", "display_name": "Win32:Kryptik-PLL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2407, "domain": 2321, "hostname": 983, "FileHash-SHA256": 3035, "FileHash-MD5": 228, "FileHash-SHA1": 231, "email": 1, "FilePath": 3 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67296da2ad42bb9341f2ebbb", "name": "EdgeUno (enriched)", "description": "", "modified": "2024-12-04T23:04:58.288000", "created": "2024-11-05T00:58:10.474000", "tags": [], "references": [ "https://www.virustotal.com/graph/gb41ca9e9bb65496989da92c8118da98d08fbd1d49c514f0597960a954a6d5bf8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 23, "FileHash-SHA256": 270, "domain": 705, "hostname": 1215, "URL": 2982, "CVE": 2 }, "indicator_count": 5240, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "assassinationmarkets.com", "I unintentionally made the first pulse Public.", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75", "https://id.security.trackid", "mortis.com", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "https://www.virustotal.com/graph/gb41ca9e9bb65496989da92c8118da98d08fbd1d49c514f0597960a954a6d5bf8", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/emotet.pc!mtb", "Tofsee", "Win32:kryptik-pll", "Trojan:win32/emotet.kds!mtb", "Win.malware.tofsee-6880878-0", "Backdoor:win32/tofsee.t" ], "industries": [], "unique_indicators": 14668 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/debuging.com", "whois": "http://whois.domaintools.com/debuging.com", "domain": "debuging.com", "hostname": "www42.debuging.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68ec0870475174302c733fa2", "name": "Cyber Crime - Emotet | Tofsee CnC | Targeting \u2022 Streaming \u2022 Stealing", "description": "I\u2019ve heard of mortis.com from a target. It was heavily suggested on targets YouTube homepage. I hadn\u2019t had thought to research link until Friday.\n\n Doing my due diligence I\u2019ve been viewing potential issues targets family member/s may be and his having with technology.\n\nSmart TV is completely hacked. playlist tampering , heavy downloading daily when TV is on , off or unplugged. \n I watched this TV monitored data volume , noted continued suggestions for Mortis.com , \ntouted . Obviously, a threat. YouTuber warns not go in and no one can get in which is insanely stupid. OTX issues,. Several pulse attempts later , constant refreshing and deleting of IoC this is all what remains. Streaming services, webcams and multiple labeled rooms. I have no idea the point of death threats especially since God can mow anyone down. Who promised you another breath? Target seems to be the only person targeted. Multiple Foundry , PayPal Palantir\nLinks , Boeing, JetBlue Twitter , Apple loading issues.", "modified": "2025-11-11T04:02:27.091000", "created": "2025-10-12T19:58:40.472000", "tags": [ "url https", "indicator role", "active related", "united", "ip address", "unknown ns", "x82xd4", "x86xd3", "xa1xf1", "xe8xc2x14", "win32tofsee", "trojan", "win32tofsee att", "ck ids", "t1096", "ntfs file", "service", "united kingdom", "germany", "netherlands", "mortis.com", "dead", "death", "foundry", "paypal", "home visitor", "psalms 37", "trojan", "emotet", "boeing", "apple", "streaming", "kryptik", "myundeadneighbor", "windstream communications llc", "command", "tofsee", "kx81xdbx0f", "wx99xcdx11", "stream", "write", "malware", "tsara brashears", "regsetvalueexa", "malware", "win32", "persistence", "execution", "push", "shellexecuteexw", "windows", "botnet", "backdoor", "writeconsolew", "displayname", "sddl", "hash", "ip address", "ssl certificate", "spawns", "initial access", "adversaries", "name tactics", "t1031", "registry", "dock", "suspicious", "learn", "phishing att", "infection", "commandand_and_control", "informative", "jetblue", "porn", "keylogger", "remote keylogger", "parklogic", "parking crew", "park pages", "cyber crime", "data brokers", "info stealers", "password", "masquerading", "discord", "sophisticated", "dga domains", "pit", "rotor", "hello", "targeting", "games" ], "references": [ "mortis.com", "I unintentionally made the first pulse Public.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "assassinationmarkets.com", "https://id.security.trackid", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/Emotet.KDS!MTB", "display_name": "Trojan:Win32/Emotet.KDS!MTB", "target": "/malware/Trojan:Win32/Emotet.KDS!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Tofsee-6880878-0", "display_name": "Win.Malware.Tofsee-6880878-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Kryptik-PLL", "display_name": "Win32:Kryptik-PLL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2407, "domain": 2321, "hostname": 983, "FileHash-SHA256": 3035, "FileHash-MD5": 228, "FileHash-SHA1": 231, "email": 1, "FilePath": 3 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67296da2ad42bb9341f2ebbb", "name": "EdgeUno (enriched)", "description": "", "modified": "2024-12-04T23:04:58.288000", "created": "2024-11-05T00:58:10.474000", "tags": [], "references": [ "https://www.virustotal.com/graph/gb41ca9e9bb65496989da92c8118da98d08fbd1d49c514f0597960a954a6d5bf8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 23, "FileHash-SHA256": 270, "domain": 705, "hostname": 1215, "URL": 2982, "CVE": 2 }, "indicator_count": 5240, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www42.debuging.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www42.debuging.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780298821.39572 }