{
"type": "URL",
"indicator": "https://xchmm.cloudns.be",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://xchmm.cloudns.be",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4126284269,
"indicator": "https://xchmm.cloudns.be",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 11,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2ca40b12d7f02af896284",
"name": "Exploit Kit - 77.67.27.35 Isolated",
"description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com",
"modified": "2025-11-04T19:02:34.015000",
"created": "2025-10-05T19:42:56.097000",
"tags": [
"win32dh",
"mxigd4et",
"united",
"passive dns",
"entries",
"next associated",
"present oct",
"win32virut feb",
"all ipv4",
"pulse pulses",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"evasion att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"mitre att",
"show technique",
"null",
"refresh",
"body",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"information",
"whois",
"amsterdam",
"noordholland",
"summary",
"as3257 gtt",
"bgp looking",
"glass",
"as3257",
"ip transit",
"global",
"jfif",
"clsid",
"jpeg image",
"windows nt",
"gif image",
"msie",
"rgba",
"utf8 unicode",
"malware",
"copy",
"write",
"next",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"Korea, Republic of",
"Hong Kong"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 195,
"FileHash-SHA1": 106,
"FileHash-SHA256": 254,
"URL": 603,
"hostname": 256,
"domain": 74,
"CIDR": 3,
"email": 2
},
"indicator_count": 1493,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "166 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dc624893ea922b898f911b",
"name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device",
"description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!",
"modified": "2025-10-30T22:01:00.256000",
"created": "2025-09-30T23:05:44.154000",
"tags": [
"search",
"google search",
"in a",
"relevance",
"internet storm",
"intranet",
"part",
"steps",
"hyper v",
"windowssystem32",
"ping request",
"algorithm",
"ouno sni",
"key usage",
"google llc",
"v3 serial",
"number",
"public key",
"info",
"key algorithm",
"domain",
"subject key",
"identifier",
"net173",
"net1730000",
"gogl",
"orgid",
"gogl address",
"city",
"mountain view",
"stateprov",
"postalcode",
"registrar",
"ip address",
"http",
"port",
"accept",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"found",
"united",
"ascii text",
"pattern match",
"mitre att",
"title",
"hybrid",
"general",
"path",
"click",
"strings",
"body",
"initial access",
"local",
"passive dns",
"urls",
"url add",
"related nids",
"files location",
"flag united",
"backdoor",
"status",
"aaaa",
"date",
"name servers",
"record value",
"emails",
"present aug",
"present sep",
"moved",
"error",
"antivm",
"drive by",
"cab by"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 544,
"FileHash-SHA256": 2300,
"URL": 3905,
"hostname": 1675,
"FileHash-MD5": 209,
"FileHash-SHA1": 210,
"CIDR": 1,
"email": 7,
"SSLCertFingerprint": 8,
"CVE": 2
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "171 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d877d6231fc1cbe1792ee1",
"name": "PolyRansom attack through malicious actor on threat platforms",
"description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom",
"modified": "2025-10-27T22:02:25.163000",
"created": "2025-09-27T23:48:38.895000",
"tags": [
"iocs",
"indicator role",
"write c",
"intel",
"ms windows",
"medium",
"pe32",
"delete",
"ids detections",
"yara detections",
"write",
"malware",
"delete c",
"windows",
"high",
"port",
"encrypt",
"tofsee",
"stream",
"passive dns",
"http",
"ip address",
"related nids",
"files location",
"united states",
"united",
"win32",
"trojan",
"mtb may",
"twitter",
"hellspawn",
"worm",
"title",
"emails",
"servers",
"get http",
"dns resolutions",
"http traffic",
"command",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"present sep",
"aaaa",
"resolved ips",
"ip traffic",
"displayname",
"yara rule",
"loaderid",
"name servers",
"urls",
"domain robot",
"mail",
"moved",
"media gmbh",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"host",
"generic http",
"exe upload",
"inbound",
"outbound",
"markus",
"certificate",
"record value",
"object",
"path",
"server",
"registrar abuse",
"contact email",
"contact phone",
"registrar iana",
"registrar url",
"diablo",
"gandi sas",
"gandi",
"diablo attacks",
"bluemind",
"alberta",
"domain add",
"asn as16625",
"akamai",
"less whois",
"registrar",
"metrobytmobile",
"t mobile",
"metro",
"present jul",
"present jun",
"present aug",
"germany unknown",
"germany",
"invalid url",
"ipv4 add",
"frankfurt",
"main",
"no entries",
"entrust",
"hostname add",
"files loading",
"mimic",
"first address",
"medium attempts",
"process",
"explorer",
"windows startup",
"kuwiqsma",
"match medium",
"medium installs",
"installs",
"t regdword",
"user",
"ntcreatefile",
"filehandle",
"createfilew",
"getfilesize",
"blpdqe",
"jjqcpluanwwhg",
"u0012",
"desiredaccess",
"keyhandle",
"ntopenkeyex",
"u001aw",
"u0018",
"read",
"next",
"tags none",
"file type",
"date september",
"am size",
"imphash pehash",
"richhash",
"south korea",
"taiwan as3462",
"as21928",
"china as4134",
"as4766 korea",
"china as4837",
"as9318 sk",
"as701 verizon",
"verizon",
"tcp syn",
"infectednight",
"resolverror",
"tref neutral",
"ck technique",
"technique id",
"tofsee high",
"overview whois",
"pulses",
"tags",
"related tags",
"more external",
"resources whois",
"urlvoid",
"tavao.exe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"spawns",
"access att",
"ascii text",
"pattern match",
"mitre att",
"size",
"meta",
"null",
"error",
"click",
"roboto",
"hybrid",
"general",
"local",
"starfield",
"strings",
"refresh",
"tools",
"onload",
"span",
"iframe",
"found",
"t1480 execution",
"backdoor",
"a domains",
"russia",
"next associated",
"link",
"windir",
"interesting",
"show technique",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"lowfi",
"gameforprofits",
"game att",
"night got",
"job done infected"
],
"references": [
"DiabloFans ClapBack: Google. Com",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"MetrobyT-mobile",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Trojan:Win32/Vflooder",
"display_name": "Trojan:Win32/Vflooder",
"target": "/malware/Trojan:Win32/Vflooder"
},
{
"id": "Virus.Virlock/Nabucur",
"display_name": "Virus.Virlock/Nabucur",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 450,
"FileHash-SHA1": 435,
"FileHash-SHA256": 2092,
"URL": 646,
"domain": 593,
"SSLCertFingerprint": 9,
"hostname": 657,
"email": 13
},
"indicator_count": 4895,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d877e28416d81633bae1ad",
"name": "PolyRansom attack through malicious actor on threat platforms",
"description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom",
"modified": "2025-10-27T22:02:25.163000",
"created": "2025-09-27T23:48:50.976000",
"tags": [
"iocs",
"indicator role",
"write c",
"intel",
"ms windows",
"medium",
"pe32",
"delete",
"ids detections",
"yara detections",
"write",
"malware",
"delete c",
"windows",
"high",
"port",
"encrypt",
"tofsee",
"stream",
"passive dns",
"http",
"ip address",
"related nids",
"files location",
"united states",
"united",
"win32",
"trojan",
"mtb may",
"twitter",
"hellspawn",
"worm",
"title",
"emails",
"servers",
"get http",
"dns resolutions",
"http traffic",
"command",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"present sep",
"aaaa",
"resolved ips",
"ip traffic",
"displayname",
"yara rule",
"loaderid",
"name servers",
"urls",
"domain robot",
"mail",
"moved",
"media gmbh",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"host",
"generic http",
"exe upload",
"inbound",
"outbound",
"markus",
"certificate",
"record value",
"object",
"path",
"server",
"registrar abuse",
"contact email",
"contact phone",
"registrar iana",
"registrar url",
"diablo",
"gandi sas",
"gandi",
"diablo attacks",
"bluemind",
"alberta",
"domain add",
"asn as16625",
"akamai",
"less whois",
"registrar",
"metrobytmobile",
"t mobile",
"metro",
"present jul",
"present jun",
"present aug",
"germany unknown",
"germany",
"invalid url",
"ipv4 add",
"frankfurt",
"main",
"no entries",
"entrust",
"hostname add",
"files loading",
"mimic",
"first address",
"medium attempts",
"process",
"explorer",
"windows startup",
"kuwiqsma",
"match medium",
"medium installs",
"installs",
"t regdword",
"user",
"ntcreatefile",
"filehandle",
"createfilew",
"getfilesize",
"blpdqe",
"jjqcpluanwwhg",
"u0012",
"desiredaccess",
"keyhandle",
"ntopenkeyex",
"u001aw",
"u0018",
"read",
"next",
"tags none",
"file type",
"date september",
"am size",
"imphash pehash",
"richhash",
"south korea",
"taiwan as3462",
"as21928",
"china as4134",
"as4766 korea",
"china as4837",
"as9318 sk",
"as701 verizon",
"verizon",
"tcp syn",
"infectednight",
"resolverror",
"tref neutral",
"ck technique",
"technique id",
"tofsee high",
"overview whois",
"pulses",
"tags",
"related tags",
"more external",
"resources whois",
"urlvoid",
"tavao.exe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"spawns",
"access att",
"ascii text",
"pattern match",
"mitre att",
"size",
"meta",
"null",
"error",
"click",
"roboto",
"hybrid",
"general",
"local",
"starfield",
"strings",
"refresh",
"tools",
"onload",
"span",
"iframe",
"found",
"t1480 execution",
"backdoor",
"a domains",
"russia",
"next associated",
"link",
"windir",
"interesting",
"show technique",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"lowfi",
"gameforprofits",
"game att",
"night got",
"job done infected"
],
"references": [
"DiabloFans ClapBack: Google. Com",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"MetrobyT-mobile",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Trojan:Win32/Vflooder",
"display_name": "Trojan:Win32/Vflooder",
"target": "/malware/Trojan:Win32/Vflooder"
},
{
"id": "Virus.Virlock/Nabucur",
"display_name": "Virus.Virlock/Nabucur",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 450,
"FileHash-SHA1": 435,
"FileHash-SHA256": 2092,
"URL": 646,
"domain": 593,
"SSLCertFingerprint": 9,
"hostname": 657,
"email": 13
},
"indicator_count": 4895,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d0f099f60e98e6c4ffc1e5",
"name": "Elaborate Medical Insurance Scheme | Claims Reversal",
"description": "Boring? Maybe but, victim of crime became a target of an elaborate , phishing, social engineering , hacking, theft, reputation, stalking, & physical assault scheme. A man using name Brian Sabey , Esq continues an international porn campaign. Today I\u2019m shocked by his false Medicare insurance scam denying targets claims & treatment since 2017. This information was retrieved by me via research due to unpaid medical bills Team 8 has uncovered multiple large scale breaches with information mailed , texted or sent to targets. \n We are all researchers with a combined 30 years of award winning researchers focuses in various areas. We are doing this unpaid , considering the circumstances. We are not related to the victim. \n\nAll claims of any abuses have been substantiated claims.\n\n#trulymissed #rip #briansabey #hallrender #jeffreyscottreimer #formbook_cnc #panda_cnc_checkin #claimreversalscam",
"modified": "2025-10-22T05:00:52.085000",
"created": "2025-09-22T06:45:45.714000",
"tags": [
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"date",
"encrypt",
"united",
"backdoor",
"entries",
"passive dns",
"hstr",
"checkin",
"next associated",
"lowfi",
"trojan",
"ipv4 add",
"twitter",
"trojandropper",
"ransom",
"body",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"url http",
"ck ids",
"t1036",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob",
"yara",
"report spam",
"otx generated",
"created",
"hours ago",
"otx auto",
"new york",
"tsara brashears",
"search",
"filehashsha1",
"filehashmd5",
"domain",
"hostname",
"virgin islands",
"canada",
"ireland",
"pes of",
"expiration",
"hall render",
"possible deep",
"https",
"panda",
"post",
"insane",
"law firm",
"virtool",
"service",
"iocs",
"learn more",
"et trojan",
"msie",
"windows nt",
"show",
"unknown",
"france as16276",
"united kingdom",
"possible",
"write",
"win32",
"malware",
"copy",
"next",
"et",
"returnurl"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"Netherlands",
"Italy",
"Aruba",
"Germany",
"Ireland",
"Spain",
"Poland",
"Canada",
"T\u00fcrkiye",
"Romania",
"Sweden",
"Australia",
"Singapore",
"Denmark"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [
"Healthcare"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2905,
"URL": 5029,
"hostname": 1146,
"FileHash-SHA256": 935,
"FileHash-MD5": 102,
"FileHash-SHA1": 100,
"email": 3
},
"indicator_count": 10220,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "180 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68cb233ba91aa1eb958b3f31",
"name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder",
"description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
"modified": "2025-10-17T19:03:15.031000",
"created": "2025-09-17T21:08:11.518000",
"tags": [
"script urls",
"meta",
"moved",
"x tec",
"passive dns",
"encrypt",
"america flag",
"san francisco",
"extraction",
"data upload",
"type indicatod",
"united states",
"a domains",
"united",
"gmt server",
"jose",
"university",
"bill",
"rmhs",
"information",
"board",
"lorin",
"joseph",
"all veterans",
"rocky mountain",
"mission",
"vice",
"april",
"school",
"austin",
"prior",
"ipv4 add",
"urls",
"files",
"location united",
"wordpress",
"rmhs meta",
"tags viewport",
"rmhs og",
"rmhs article",
"wpbakery page",
"builder",
"slider plugin",
"google tag",
"mountain human",
"denver",
"connecting",
"denver start",
"relevance home",
"providers",
"contact us",
"rmhs main",
"server",
"redacted tech",
"redacted admin",
"registrar abuse",
"algorithm",
"key identifier",
"x509v3 subject",
"dnssec",
"country",
"ttl value",
"graph summary",
"resolved ips",
"ip address",
"port",
"data",
"screenshots no",
"involved direct",
"country name",
"name response",
"tcp connections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"found",
"spawns",
"t1590 gather",
"path",
"ascii text",
"exif standard",
"tiff image",
"format",
"stop",
"false",
"soldier",
"model",
"youth",
"baby",
"june",
"general",
"local",
"click",
"strings",
"core",
"warrior",
"green",
"emotion",
"flash",
"nina",
"hunk",
"fono",
"daam",
"mitre att",
"ck techniques",
"id name",
"malicious",
"windows nt",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"show process",
"self",
"date",
"comspec",
"hybrid",
"form",
"log id",
"gmtn",
"tls web",
"b2 f6",
"b0n timestamp",
"f9401a",
"record value",
"x wix",
"certificate",
"domain add",
"pulse submit",
"body",
"domain related",
"blackbox",
"apple",
"helix",
"dvrdns",
"tracking",
"remote access",
"ios",
"spyware",
"hoax",
"dynamicloader",
"ptls6",
"medium",
"flashpix",
"high",
"ygjpavclsline",
"officespace",
"chartshared",
"powershell",
"write",
"malware",
"ygjpaulscontext",
"status",
"japan unknown",
"domain",
"pulses",
"search",
"accept",
"apt10",
"trojanspy",
"win32",
"entries",
"susp",
"backdoor",
"useragent",
"showing",
"virtool",
"twitter",
"mozilla",
"trojandropper",
"trojan",
"title",
"onelouder",
"yara det",
"maware samoe",
"genaco x",
"ids detec",
"ids terse",
"win3 data",
"include review",
"exclude sugges",
"targeting",
"show",
"copy",
"reads",
"dynamic",
"vendor finding",
"notes clamav",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"next yara"
],
"references": [
"rmhumanservices.org",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"remotewd.com x 34 devices",
"South Africa based: remote.advisoroffice.com",
"acc.lehigtapp.com - malware",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"chinaeast2.admin.api.powerautomate.cn",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"ssa-gov.authorizeddns",
"hmmm\u2026http://palander.stjernstrom.se/",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
],
"public": 1,
"adversary": "APT 10",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APT 10",
"display_name": "APT 10",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "KoobFace",
"display_name": "KoobFace",
"target": null
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Nivdort Checkin",
"display_name": "Nivdort Checkin",
"target": null
},
{
"id": "Win.Malware.Installcore-6950365-0",
"display_name": "Win.Malware.Installcore-6950365-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.006",
"name": "Dynamic Linker Hijacking",
"display_name": "T1574.006 - Dynamic Linker Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Golfing",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 690,
"hostname": 1912,
"URL": 5925,
"FileHash-SHA1": 273,
"email": 8,
"FileHash-SHA256": 3618,
"CIDR": 3,
"FileHash-MD5": 254,
"SSLCertFingerprint": 19,
"CVE": 2
},
"indicator_count": 12704,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "184 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "186 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c1a8b3b2144ae9455191c4",
"name": "VT Graph (miniuser) - 09.10.25",
"description": "all-seeing-eye-sauron-powershell-tool-data-collection-threat-hunting_578. pdf - 09.10.25",
"modified": "2025-10-10T16:03:06.210000",
"created": "2025-09-10T16:34:59.269000",
"tags": [],
"references": [
"https://www.virustotal.com/graph/embed/g25090dbc8e9e49cc805b123e936987a5022d66ee7e2b457193bf6cf242952800?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 40,
"FileHash-SHA1": 40,
"FileHash-SHA256": 1281,
"URL": 618,
"domain": 461,
"hostname": 455
},
"indicator_count": 2895,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "191 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27",
"https://www.virustotal.com/graph/embed/g25090dbc8e9e49cc805b123e936987a5022d66ee7e2b457193bf6cf242952800?theme=dark",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"hmmm\u2026http://palander.stjernstrom.se/",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"DiabloFans ClapBack: Google. Com",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"rmhumanservices.org",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"If someone is believed to be a threat they have right to due process.",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"acc.lehigtapp.com - malware",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"chinaeast2.admin.api.powerautomate.cn",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"Target agreed and complied with all lie detector measures.",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"ssa-gov.authorizeddns",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"MetrobyT-mobile",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"There is fear in silence or speaking out",
"iamrobert.com Y.A.S.",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"https://meumundogay-com.sexogratis.page/locker",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"I am very upset. Whoever is doing this is sick.",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"remotewd.com x 34 devices",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"https://es.pornhat.com/models/the-sex-creator/",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"South Africa based: remote.advisoroffice.com",
"Can the DoD no questions asked target a SA victim",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"https://www.mlkfoundation.net/ (Foundry DGA)"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"APT 10"
],
"malware_families": [
"Trojandownloader:win32/upatre",
"Malware + code overlap",
"Koobface",
"Win.virus.polyransom-5704625-0",
"Trojan:win32/vflooder",
"Trojan:win32/vflooder!rfn",
"Win.malware.jaik-9968280-0",
"Asacky",
"Trojandownloader:win32/upatre.a",
"Sality",
"Andromeda",
"Win32:trojanx-gen\\ [trj]",
"Upatre",
"Virus.virlock/nabucur",
"Nivdort checkin",
"Apt 10",
"Win32:trojan",
"Bancos",
"Win32:malwarex",
"Tofsee",
"Malware",
"Apnic",
"Win32:dropper",
"Unix.dropper.mirai-7135870-0",
"Win.packer.pkr_ce1a-9980177-0",
"Trojandropper:win32/bcryptinject.b!msr",
"Win32:cleaman-k\\ [trj]",
"Trojanspy:win32/banker.ly",
"Malwarex",
"Onelouder",
"Ymacco",
"Trojan:win32/qbot.r!mtb",
"Et",
"Bayrob",
"Win32:evo",
"Win.malware.installcore-6950365-0",
"Trojan:bat/musecador",
"Hematite",
"Virtool:win32/ceeinject.akz!bit",
"Backdoor:win32/plugx.n!dha"
],
"industries": [
"Golfing",
"Government",
"Healthcare",
"Media",
"Telecom"
],
"unique_indicators": 65295
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/cloudns.be",
"whois": "http://whois.domaintools.com/cloudns.be",
"domain": "cloudns.be",
"hostname": "xchmm.cloudns.be"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 11,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2ca40b12d7f02af896284",
"name": "Exploit Kit - 77.67.27.35 Isolated",
"description": "Information hastily gathered. IP 77.67.27.35\nbelongs to a server or device, WHOIS lookup indicates domain name cloud.com, owned by P.O. Box 412, 1043 CD, Amsterdam, Noord-Holland, NL | Summary ; ASN, AS3257 GTT Communications Inc. ; BGP, 77.67.0.0/17 ; IPs | BGP Looking Glass for AS3257 / GTT Communications Inc. | http.net - IP Transit Provider | Global Services - GTT | http://www.gtt.net Company Looking Glass: http://www.as3257.net/lg/ Info from single malicious file :Win32/Heur\n, \nTrojan.Crypted-29\nIDS Detections\nET POLICY Unsupported/Fake Windows NT Version 5.0\nET TROJAN Trojan/W32.KRBanker.60928.C Checkin\nYara Detections\nNone\nAlerts:\n\u2022 infostealer_browser\n\u2022 bypass_firewall\n\u2022 persistence_autorun\n\u2022 network_bind\n\u2022 network_http\n\u2022 packer_entropy\n- IP\u2019s Contacted :\n8.8.8.8 ,\n\n77.67.27.35 ,\n\n59.13.211.166 ,\n\n118.99.41.30 ,\nDomains Contacted :\nr.qzone.qq.com",
"modified": "2025-11-04T19:02:34.015000",
"created": "2025-10-05T19:42:56.097000",
"tags": [
"win32dh",
"mxigd4et",
"united",
"passive dns",
"entries",
"next associated",
"present oct",
"win32virut feb",
"all ipv4",
"pulse pulses",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"evasion att",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"pattern match",
"mitre att",
"show technique",
"null",
"refresh",
"body",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"information",
"whois",
"amsterdam",
"noordholland",
"summary",
"as3257 gtt",
"bgp looking",
"glass",
"as3257",
"ip transit",
"global",
"jfif",
"clsid",
"jpeg image",
"windows nt",
"gif image",
"msie",
"rgba",
"utf8 unicode",
"malware",
"copy",
"write",
"next",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"Korea, Republic of",
"Hong Kong"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 195,
"FileHash-SHA1": 106,
"FileHash-SHA256": 254,
"URL": 603,
"hostname": 256,
"domain": 74,
"CIDR": 3,
"email": 2
},
"indicator_count": 1493,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "166 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dc624893ea922b898f911b",
"name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device",
"description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!",
"modified": "2025-10-30T22:01:00.256000",
"created": "2025-09-30T23:05:44.154000",
"tags": [
"search",
"google search",
"in a",
"relevance",
"internet storm",
"intranet",
"part",
"steps",
"hyper v",
"windowssystem32",
"ping request",
"algorithm",
"ouno sni",
"key usage",
"google llc",
"v3 serial",
"number",
"public key",
"info",
"key algorithm",
"domain",
"subject key",
"identifier",
"net173",
"net1730000",
"gogl",
"orgid",
"gogl address",
"city",
"mountain view",
"stateprov",
"postalcode",
"registrar",
"ip address",
"http",
"port",
"accept",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"found",
"united",
"ascii text",
"pattern match",
"mitre att",
"title",
"hybrid",
"general",
"path",
"click",
"strings",
"body",
"initial access",
"local",
"passive dns",
"urls",
"url add",
"related nids",
"files location",
"flag united",
"backdoor",
"status",
"aaaa",
"date",
"name servers",
"record value",
"emails",
"present aug",
"present sep",
"moved",
"error",
"antivm",
"drive by",
"cab by"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 544,
"FileHash-SHA256": 2300,
"URL": 3905,
"hostname": 1675,
"FileHash-MD5": 209,
"FileHash-SHA1": 210,
"CIDR": 1,
"email": 7,
"SSLCertFingerprint": 8,
"CVE": 2
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "171 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d877d6231fc1cbe1792ee1",
"name": "PolyRansom attack through malicious actor on threat platforms",
"description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom",
"modified": "2025-10-27T22:02:25.163000",
"created": "2025-09-27T23:48:38.895000",
"tags": [
"iocs",
"indicator role",
"write c",
"intel",
"ms windows",
"medium",
"pe32",
"delete",
"ids detections",
"yara detections",
"write",
"malware",
"delete c",
"windows",
"high",
"port",
"encrypt",
"tofsee",
"stream",
"passive dns",
"http",
"ip address",
"related nids",
"files location",
"united states",
"united",
"win32",
"trojan",
"mtb may",
"twitter",
"hellspawn",
"worm",
"title",
"emails",
"servers",
"get http",
"dns resolutions",
"http traffic",
"command",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"present sep",
"aaaa",
"resolved ips",
"ip traffic",
"displayname",
"yara rule",
"loaderid",
"name servers",
"urls",
"domain robot",
"mail",
"moved",
"media gmbh",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"host",
"generic http",
"exe upload",
"inbound",
"outbound",
"markus",
"certificate",
"record value",
"object",
"path",
"server",
"registrar abuse",
"contact email",
"contact phone",
"registrar iana",
"registrar url",
"diablo",
"gandi sas",
"gandi",
"diablo attacks",
"bluemind",
"alberta",
"domain add",
"asn as16625",
"akamai",
"less whois",
"registrar",
"metrobytmobile",
"t mobile",
"metro",
"present jul",
"present jun",
"present aug",
"germany unknown",
"germany",
"invalid url",
"ipv4 add",
"frankfurt",
"main",
"no entries",
"entrust",
"hostname add",
"files loading",
"mimic",
"first address",
"medium attempts",
"process",
"explorer",
"windows startup",
"kuwiqsma",
"match medium",
"medium installs",
"installs",
"t regdword",
"user",
"ntcreatefile",
"filehandle",
"createfilew",
"getfilesize",
"blpdqe",
"jjqcpluanwwhg",
"u0012",
"desiredaccess",
"keyhandle",
"ntopenkeyex",
"u001aw",
"u0018",
"read",
"next",
"tags none",
"file type",
"date september",
"am size",
"imphash pehash",
"richhash",
"south korea",
"taiwan as3462",
"as21928",
"china as4134",
"as4766 korea",
"china as4837",
"as9318 sk",
"as701 verizon",
"verizon",
"tcp syn",
"infectednight",
"resolverror",
"tref neutral",
"ck technique",
"technique id",
"tofsee high",
"overview whois",
"pulses",
"tags",
"related tags",
"more external",
"resources whois",
"urlvoid",
"tavao.exe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"spawns",
"access att",
"ascii text",
"pattern match",
"mitre att",
"size",
"meta",
"null",
"error",
"click",
"roboto",
"hybrid",
"general",
"local",
"starfield",
"strings",
"refresh",
"tools",
"onload",
"span",
"iframe",
"found",
"t1480 execution",
"backdoor",
"a domains",
"russia",
"next associated",
"link",
"windir",
"interesting",
"show technique",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"lowfi",
"gameforprofits",
"game att",
"night got",
"job done infected"
],
"references": [
"DiabloFans ClapBack: Google. Com",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"MetrobyT-mobile",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Trojan:Win32/Vflooder",
"display_name": "Trojan:Win32/Vflooder",
"target": "/malware/Trojan:Win32/Vflooder"
},
{
"id": "Virus.Virlock/Nabucur",
"display_name": "Virus.Virlock/Nabucur",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 450,
"FileHash-SHA1": 435,
"FileHash-SHA256": 2092,
"URL": 646,
"domain": 593,
"SSLCertFingerprint": 9,
"hostname": 657,
"email": 13
},
"indicator_count": 4895,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d877e28416d81633bae1ad",
"name": "PolyRansom attack through malicious actor on threat platforms",
"description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom",
"modified": "2025-10-27T22:02:25.163000",
"created": "2025-09-27T23:48:50.976000",
"tags": [
"iocs",
"indicator role",
"write c",
"intel",
"ms windows",
"medium",
"pe32",
"delete",
"ids detections",
"yara detections",
"write",
"malware",
"delete c",
"windows",
"high",
"port",
"encrypt",
"tofsee",
"stream",
"passive dns",
"http",
"ip address",
"related nids",
"files location",
"united states",
"united",
"win32",
"trojan",
"mtb may",
"twitter",
"hellspawn",
"worm",
"title",
"emails",
"servers",
"get http",
"dns resolutions",
"http traffic",
"command",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"present sep",
"aaaa",
"resolved ips",
"ip traffic",
"displayname",
"yara rule",
"loaderid",
"name servers",
"urls",
"domain robot",
"mail",
"moved",
"media gmbh",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"host",
"generic http",
"exe upload",
"inbound",
"outbound",
"markus",
"certificate",
"record value",
"object",
"path",
"server",
"registrar abuse",
"contact email",
"contact phone",
"registrar iana",
"registrar url",
"diablo",
"gandi sas",
"gandi",
"diablo attacks",
"bluemind",
"alberta",
"domain add",
"asn as16625",
"akamai",
"less whois",
"registrar",
"metrobytmobile",
"t mobile",
"metro",
"present jul",
"present jun",
"present aug",
"germany unknown",
"germany",
"invalid url",
"ipv4 add",
"frankfurt",
"main",
"no entries",
"entrust",
"hostname add",
"files loading",
"mimic",
"first address",
"medium attempts",
"process",
"explorer",
"windows startup",
"kuwiqsma",
"match medium",
"medium installs",
"installs",
"t regdword",
"user",
"ntcreatefile",
"filehandle",
"createfilew",
"getfilesize",
"blpdqe",
"jjqcpluanwwhg",
"u0012",
"desiredaccess",
"keyhandle",
"ntopenkeyex",
"u001aw",
"u0018",
"read",
"next",
"tags none",
"file type",
"date september",
"am size",
"imphash pehash",
"richhash",
"south korea",
"taiwan as3462",
"as21928",
"china as4134",
"as4766 korea",
"china as4837",
"as9318 sk",
"as701 verizon",
"verizon",
"tcp syn",
"infectednight",
"resolverror",
"tref neutral",
"ck technique",
"technique id",
"tofsee high",
"overview whois",
"pulses",
"tags",
"related tags",
"more external",
"resources whois",
"urlvoid",
"tavao.exe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"spawns",
"access att",
"ascii text",
"pattern match",
"mitre att",
"size",
"meta",
"null",
"error",
"click",
"roboto",
"hybrid",
"general",
"local",
"starfield",
"strings",
"refresh",
"tools",
"onload",
"span",
"iframe",
"found",
"t1480 execution",
"backdoor",
"a domains",
"russia",
"next associated",
"link",
"windir",
"interesting",
"show technique",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"lowfi",
"gameforprofits",
"game att",
"night got",
"job done infected"
],
"references": [
"DiabloFans ClapBack: Google. Com",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"MetrobyT-mobile",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Trojan:Win32/Vflooder",
"display_name": "Trojan:Win32/Vflooder",
"target": "/malware/Trojan:Win32/Vflooder"
},
{
"id": "Virus.Virlock/Nabucur",
"display_name": "Virus.Virlock/Nabucur",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 450,
"FileHash-SHA1": 435,
"FileHash-SHA256": 2092,
"URL": 646,
"domain": 593,
"SSLCertFingerprint": 9,
"hostname": 657,
"email": 13
},
"indicator_count": 4895,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68d0f099f60e98e6c4ffc1e5",
"name": "Elaborate Medical Insurance Scheme | Claims Reversal",
"description": "Boring? Maybe but, victim of crime became a target of an elaborate , phishing, social engineering , hacking, theft, reputation, stalking, & physical assault scheme. A man using name Brian Sabey , Esq continues an international porn campaign. Today I\u2019m shocked by his false Medicare insurance scam denying targets claims & treatment since 2017. This information was retrieved by me via research due to unpaid medical bills Team 8 has uncovered multiple large scale breaches with information mailed , texted or sent to targets. \n We are all researchers with a combined 30 years of award winning researchers focuses in various areas. We are doing this unpaid , considering the circumstances. We are not related to the victim. \n\nAll claims of any abuses have been substantiated claims.\n\n#trulymissed #rip #briansabey #hallrender #jeffreyscottreimer #formbook_cnc #panda_cnc_checkin #claimreversalscam",
"modified": "2025-10-22T05:00:52.085000",
"created": "2025-09-22T06:45:45.714000",
"tags": [
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"date",
"encrypt",
"united",
"backdoor",
"entries",
"passive dns",
"hstr",
"checkin",
"next associated",
"lowfi",
"trojan",
"ipv4 add",
"twitter",
"trojandropper",
"ransom",
"body",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"url http",
"ck ids",
"t1036",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob",
"yara",
"report spam",
"otx generated",
"created",
"hours ago",
"otx auto",
"new york",
"tsara brashears",
"search",
"filehashsha1",
"filehashmd5",
"domain",
"hostname",
"virgin islands",
"canada",
"ireland",
"pes of",
"expiration",
"hall render",
"possible deep",
"https",
"panda",
"post",
"insane",
"law firm",
"virtool",
"service",
"iocs",
"learn more",
"et trojan",
"msie",
"windows nt",
"show",
"unknown",
"france as16276",
"united kingdom",
"possible",
"write",
"win32",
"malware",
"copy",
"next",
"et",
"returnurl"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"Netherlands",
"Italy",
"Aruba",
"Germany",
"Ireland",
"Spain",
"Poland",
"Canada",
"T\u00fcrkiye",
"Romania",
"Sweden",
"Australia",
"Singapore",
"Denmark"
],
"malware_families": [
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [
"Healthcare"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2905,
"URL": 5029,
"hostname": 1146,
"FileHash-SHA256": 935,
"FileHash-MD5": 102,
"FileHash-SHA1": 100,
"email": 3
},
"indicator_count": 10220,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "180 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68cb233ba91aa1eb958b3f31",
"name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder",
"description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
"modified": "2025-10-17T19:03:15.031000",
"created": "2025-09-17T21:08:11.518000",
"tags": [
"script urls",
"meta",
"moved",
"x tec",
"passive dns",
"encrypt",
"america flag",
"san francisco",
"extraction",
"data upload",
"type indicatod",
"united states",
"a domains",
"united",
"gmt server",
"jose",
"university",
"bill",
"rmhs",
"information",
"board",
"lorin",
"joseph",
"all veterans",
"rocky mountain",
"mission",
"vice",
"april",
"school",
"austin",
"prior",
"ipv4 add",
"urls",
"files",
"location united",
"wordpress",
"rmhs meta",
"tags viewport",
"rmhs og",
"rmhs article",
"wpbakery page",
"builder",
"slider plugin",
"google tag",
"mountain human",
"denver",
"connecting",
"denver start",
"relevance home",
"providers",
"contact us",
"rmhs main",
"server",
"redacted tech",
"redacted admin",
"registrar abuse",
"algorithm",
"key identifier",
"x509v3 subject",
"dnssec",
"country",
"ttl value",
"graph summary",
"resolved ips",
"ip address",
"port",
"data",
"screenshots no",
"involved direct",
"country name",
"name response",
"tcp connections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"found",
"spawns",
"t1590 gather",
"path",
"ascii text",
"exif standard",
"tiff image",
"format",
"stop",
"false",
"soldier",
"model",
"youth",
"baby",
"june",
"general",
"local",
"click",
"strings",
"core",
"warrior",
"green",
"emotion",
"flash",
"nina",
"hunk",
"fono",
"daam",
"mitre att",
"ck techniques",
"id name",
"malicious",
"windows nt",
"win64",
"khtml",
"gecko",
"brand",
"microsoft edge",
"show process",
"self",
"date",
"comspec",
"hybrid",
"form",
"log id",
"gmtn",
"tls web",
"b2 f6",
"b0n timestamp",
"f9401a",
"record value",
"x wix",
"certificate",
"domain add",
"pulse submit",
"body",
"domain related",
"blackbox",
"apple",
"helix",
"dvrdns",
"tracking",
"remote access",
"ios",
"spyware",
"hoax",
"dynamicloader",
"ptls6",
"medium",
"flashpix",
"high",
"ygjpavclsline",
"officespace",
"chartshared",
"powershell",
"write",
"malware",
"ygjpaulscontext",
"status",
"japan unknown",
"domain",
"pulses",
"search",
"accept",
"apt10",
"trojanspy",
"win32",
"entries",
"susp",
"backdoor",
"useragent",
"showing",
"virtool",
"twitter",
"mozilla",
"trojandropper",
"trojan",
"title",
"onelouder",
"yara det",
"maware samoe",
"genaco x",
"ids detec",
"ids terse",
"win3 data",
"include review",
"exclude sugges",
"targeting",
"show",
"copy",
"reads",
"dynamic",
"vendor finding",
"notes clamav",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"next yara"
],
"references": [
"rmhumanservices.org",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
"ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
"http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
"http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
"https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
"https://www.mlkfoundation.net/ (Foundry DGA)",
"remotewd.com x 34 devices",
"South Africa based: remote.advisoroffice.com",
"acc.lehigtapp.com - malware",
"http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )",
"Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022",
"Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
"Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
"https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
"YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
"http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
"IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
"IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
"IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
"1.organization.api.powerplatform.partner.microsoftonline.cn",
"chinaeast2.admin.api.powerautomate.cn",
"https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
"https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
"ssa-gov.authorizeddns",
"hmmm\u2026http://palander.stjernstrom.se/",
"https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
],
"public": 1,
"adversary": "APT 10",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APT 10",
"display_name": "APT 10",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "KoobFace",
"display_name": "KoobFace",
"target": null
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Nivdort Checkin",
"display_name": "Nivdort Checkin",
"target": null
},
{
"id": "Win.Malware.Installcore-6950365-0",
"display_name": "Win.Malware.Installcore-6950365-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.006",
"name": "Dynamic Linker Hijacking",
"display_name": "T1574.006 - Dynamic Linker Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Golfing",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 690,
"hostname": 1912,
"URL": 5925,
"FileHash-SHA1": 273,
"email": 8,
"FileHash-SHA256": 3618,
"CIDR": 3,
"FileHash-MD5": 254,
"SSLCertFingerprint": 19,
"CVE": 2
},
"indicator_count": 12704,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "184 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "186 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://xchmm.cloudns.be",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://xchmm.cloudns.be",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776665259.909051
}