{ "type": "URL", "indicator": "https://za.konnect.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://za.konnect.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4140658140, "indicator": "https://za.konnect.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8041acb7d71607578f3", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T06:02:06.057000", "created": "2026-04-05T05:49:56.708000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8066431fee3647fa5ff", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T05:53:01.644000", "created": "2026-04-05T05:49:58.156000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387, "CVE": 6 }, "indicator_count": 3894, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b92a27c47d4e28927364", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:26.110000", "created": "2026-03-12T13:01:30.067000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b9295603a6100edfa8c8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:25.387000", "created": "2026-03-12T13:01:29.284000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927aa7f10e82639d204", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.872000", "created": "2026-03-12T13:01:27.872000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927c086397130c5d114", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.275000", "created": "2026-03-12T13:01:27.275000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b926871746ed8a1bc324", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:26.440000", "created": "2026-03-12T13:01:26.440000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b925e85c948d4dd608cc", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:25.852000", "created": "2026-03-12T13:01:25.852000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8e974189d2c41f07ed8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:25.910000", "created": "2026-03-12T13:00:25.910000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8e74d2b3effd55f88c3", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:23.173000", "created": "2026-03-12T13:00:23.173000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8dfbf8426a7a1d0146d", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:15.427000", "created": "2026-03-12T13:00:15.427000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d7123610591625b8fb", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:07.354000", "created": "2026-03-12T13:00:07.354000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d61e3f64a8f1f169b6", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:06.214000", "created": "2026-03-12T13:00:06.214000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b8d24eeb4200bdb1d702", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:02.096000", "created": "2026-03-12T13:00:02.096000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687992eceac6f12e9cebd65f", "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet", "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime", "modified": "2025-12-28T19:04:27.449000", "created": "2025-07-18T00:18:50.968000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 375, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 121, "modified_text": "112 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "account-apple.com", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "Musiclab, LLC", "b9e4e47c3f96846c30581c08acf5bc56.virus", "http://console.applemarketingtools.com/", "xn--cloud-4sa.com", "euw-serp-dev-testing19.duck.ai", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "BearShare Install File Version 12.0.0.135802", "africa.konnect.com", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "http://cab.applemarketingtools.com", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "ids-apple.com \u2022 itunes.org", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Yara Detections: Tofsee", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others" ], "malware_families": [ "Win.trojan.tofsee-7102058-0", "Trojandownloader:linux/mirai", "Zeroaccess - s0027", "Cve-2023-22518", "Mirai (windows)", "Backdoor:linux/mirai", "#lowfi:siga:trojandownloader:msil/genmaldow", "Alf:html/phishing", "Graphite (pegasus variant)", "Trojan:js/berbew", "#lowfitrojan:html/iframe", "#lowfi:exploit:java/cve-2012-0507", "Win32.application.bearshare.a", "Pegasus for mac", "Careto", "Exploit:win32/cve-2017-0147", "Pegasus rdp module for windows", "Alf:backdoor:java/webshell", "Html smuggling", "Backdoor:win32/tofsee.t", "Xloader for ios - s0490", "Win32/searchsuite", "Paragon (pegasus variant)", "#hstr:hacktool:win32/remoteshell", "#lowfi:hstr:win32/mediadownloader", "Pegasus for android - mob-s0032", "Pegasus for ios - s0289", "Skynet", "Win.packed.bandook-9882274-1", "Alf:backdoor:powershell/reverseshell", "Trojandownloader:win32/cutwail", "Starfighter (javascript)" ], "industries": [ "Government", "Healthcare", "Technology", "Civilians", "People", "Civil" ], "unique_indicators": 301402 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/konnect.com", "whois": "http://whois.domaintools.com/konnect.com", "domain": "konnect.com", "hostname": "za.konnect.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8041acb7d71607578f3", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T06:02:06.057000", "created": "2026-04-05T05:49:56.708000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d1f8066431fee3647fa5ff", "name": "CAPE Sandbox", "description": "<>", "modified": "2026-04-05T05:53:01.644000", "created": "2026-04-05T05:49:58.156000", "tags": [ "verisign", "verisign class", "display driver", "verisign trust", "network o", "pulses", "code signing", "mon feb", "public primary", "digital id", "class", "win32 exe", "pe32", "ms windows", "icons library", "os2 executable", "generic windos", "executable", "dos executable", "pe64 compiler", "ltcgc", "status", "issuer verisign", "ca valid", "from", "valid", "valid usage", "algorithm", "thumbprint", "ca status", "g5 valid", "verisign status", "valid issuer", "client auth", "hash", "cf b8", "b7 b4", "a8 f0", "ab c5", "bb f6", "f7 a3", "name verisign", "g5 issuer", "microsoft code", "valid from", "thumbprint md5", "serial number", "ec f2", "init", "copyright", "product monitor", "original name", "file version", "word document", "file v2", "document", "outlook", "settings", "generic ole2", "multistream", "compound", "time stamping", "signer", "g4 issuer", "symantec time", "stamping", "g2 valid", "open xml", "zip archive", "word microsoft", "office open", "xml format", "open packaging", "cf f4", "c8 fe", "digicert sha2", "assured id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 54, "FileHash-SHA256": 1900, "URL": 684, "IPv4": 135, "hostname": 657, "domain": 387, "CVE": 6 }, "indicator_count": 3894, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b92a27c47d4e28927364", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:26.110000", "created": "2026-03-12T13:01:30.067000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b9295603a6100edfa8c8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:25.387000", "created": "2026-03-12T13:01:29.284000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927aa7f10e82639d204", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.872000", "created": "2026-03-12T13:01:27.872000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b927c086397130c5d114", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.275000", "created": "2026-03-12T13:01:27.275000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b2b926871746ed8a1bc324", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:26.440000", "created": "2026-03-12T13:01:26.440000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "38 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://za.konnect.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://za.konnect.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641622.3962233 }