{
"type": "URL",
"indicator": "https://zissely.h5dev.xyz/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://zissely.h5dev.xyz/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4105055320,
"indicator": "https://zissely.h5dev.xyz/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 45,
"pulses": [
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "6 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69da656a68549f39be14bd77",
"name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise",
"description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat",
"modified": "2026-04-11T15:14:50.815000",
"created": "2026-04-11T15:14:50.815000",
"tags": [
"united",
"unknown ns",
"ip address",
"st kitts",
"gmt content",
"ai chat",
"all domain",
"encrypt",
"mtb mar",
"virtool",
"x frame",
"x xss",
"x content",
"gmt cache",
"twitter",
"win32",
"locale",
"extraction",
"gm cache",
"include data",
"review exclude",
"suggestadiacs",
"report spam",
"duckduckgo",
"url http",
"urls",
"all url",
"http",
"active",
"duck.ai",
"duckduckgo ai",
"private ai",
"chatbot",
"free ai",
"chat",
"anonymous ai",
"ai chat",
"no sign up",
"openai",
"anthropic",
"llama",
"mistral",
"open source",
"javascript",
"ai models",
"privacy focused",
"recording screen",
"ai",
"no account ai chat",
"data upload",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"development att",
"ssl certificate",
"over",
"defense evasion",
"mitre att",
"ck matrix",
"size",
"meta",
"april",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"dark",
"roboto",
"invisible",
"desktop",
"small",
"tls sni",
"contacted",
"filehash",
"ids detections",
"yara detections",
"alerts",
"file sharing",
"https domain",
"tls handshake",
"failure alerts",
"less ip",
"nextcloud",
"hackers",
"they mad",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"port",
"destination",
"malware",
"write",
"self",
"network_icmp",
"icmp traffic",
"passive dns",
"moved",
"netherlands",
"gmt server",
"gmt etag",
"user agent",
"all ipv4",
"pulse submit",
"url analysis",
"apache",
"accept",
"writeconsolea",
"script",
"read c",
"search",
"show",
"medium",
"html",
"high",
"form",
"create c",
"write c",
"registry",
"windows",
"delete c",
"tools",
"persistence",
"execution",
"dock",
"malicious",
"unknown"
],
"references": [
"duck.ai \u2022 https://duck.ai/chat phishing",
"go.trckclick.xyz \u2022 att.trk.173trk.com",
"anyconnect.online",
"ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar",
"files.catbox.moe",
"passwordresetalcb.accenture.cn",
"https://www.phantomcameras.cn.bscedge.com",
"www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org",
"loophole.outlook89.accesscam.org",
"https://www.phantomcameras.cn/applications/where/piv",
"https://www.phantomcameras.cn.bscedge.com",
"52.250.42.157 scanning_host",
"https://nextcloud.simonduffey.ch",
"https://nextcloud.paroxity.org/",
"http://mail.saynextapp.accesscam.org/",
"http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script",
"https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:",
"http://docs.duckduckhack.com/walkthroughs/programming-syntax.html",
"http://www.duckduckhack.com \u2022 docs.duckduckhack.com",
"http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html",
"https://duck.ai/apple-touch-icon.png",
"http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/",
"http://up.chenmin.org/login/jquery.min.js",
"ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"Win.Packed.Reline-9875163-0",
"IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)",
"Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception",
"Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters",
"Alerts: packer_entropy antivm_queries_computername checks_debugger console_output",
"Alerts: antivm_memory_available pe_features raises",
"IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240",
"Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,",
"Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722",
"https://www.mof.gov.cn.lxcvc.com/",
"https://cms.medicarementalhealthcheckin.gov.au",
"https://duck.ai/apple-touch-icon.png",
"edge-mobile-static.azureedge.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"target": null
},
{
"id": "VirTool:MSIL/Mousewe.A!MTB",
"display_name": "VirTool:MSIL/Mousewe.A!MTB",
"target": "/malware/VirTool:MSIL/Mousewe.A!MTB"
},
{
"id": "Win.Packed.Reline-9875163-0",
"display_name": "Win.Packed.Reline-9875163-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1181,
"FileHash-SHA1": 195,
"IPv4": 50,
"domain": 320,
"hostname": 529,
"FileHash-SHA256": 1702,
"FileHash-MD5": 201,
"SSLCertFingerprint": 8
},
"indicator_count": 4186,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aa019f4509897e354fe029",
"name": "credit Q Vashti Cloned Pulse ",
"description": "",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-03-05T22:20:15.324000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "69a2127d12dce12538b57d72",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5644,
"domain": 701,
"hostname": 1920,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9877,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a2127d12dce12538b57d72",
"name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets",
"description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-02-27T21:54:05.261000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5643,
"domain": 700,
"hostname": 1918,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9873,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697cdce9ec418c422eee2054",
"name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019",
"description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.",
"modified": "2026-03-01T16:05:57.375000",
"created": "2026-01-30T16:31:37.011000",
"tags": [
"url https",
"url http",
"tlsv1",
"whitelisted",
"united",
"read c",
"as15169",
"stcalifornia",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"active",
"lumen technologies",
"number",
"error",
"regexp",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"unknown",
"form",
"flash",
"backdoor",
"writeconsolew",
"yara detections",
"command line",
"pdb path",
"pe resource",
"internalname",
"windows command",
"A",
"aws",
"name servers",
"url analysis",
"passive dns",
"urls",
"data upload",
"extraction",
"palantir",
"c2",
"aerospace",
"tracking",
"spywatchdog",
"palapa-c2",
"communications satellite",
"amazon",
"hughesnet",
"icmp traffic",
"washington c",
"washington ou",
"mopr",
"mon jul",
"local",
"dynamic",
"apple",
"network",
"t1057",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"present jan",
"unknown ns",
"ip address",
"dnssec",
"domain",
"dynamic dns",
"government",
"pcup",
"germany unknown",
"link",
"dns hosting",
"cloudns",
"cloud dns",
"a domains",
"ipv4 add",
"title",
"meta",
"class",
"servers",
"present aug",
"aaaa",
"present sep",
"present nov",
"present jul",
"present may",
"moved",
"canada unknown",
"begin",
"record value",
"gmt content",
"type",
"hostname add",
"files",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"ck matrix",
"network traffic",
"et info",
"general",
"path",
"click",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"adversaries",
"input url",
"defense evasion",
"france",
"ireland",
"netherlands",
"denmark",
"united kingdom",
"type indicator",
"role title",
"added active",
"savvis",
"centurylinktechnology",
"hybrid analysis",
"monitoring tools",
"monitored target",
"triangulation",
"worm",
"intel",
"ms windows",
"pe32",
"write c",
"delete c",
"show",
"russia as47764",
"unix",
"lsan jose",
"odigicert inc",
"markus",
"url add",
"http",
"related nids",
"files location",
"russia flag",
"russia hostname",
"russia",
"russia unknown",
"hosting",
"federation flag",
"body",
"gmt vary",
"accept encoding",
"gmt cache",
"certificate",
"pulse submit",
"unknown aaaa",
"search",
"entries",
"script domains",
"script urls",
"pdx cf"
],
"references": [
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Yare: compromised_site_redirector_fromcharcode",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Tipped: A targets AI and other cyber research findings.",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://palapa.c.id\t (c.id)",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"cedevice.io \u2022 decagonsoftware.com",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"pcup.gov.ph:",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://elegantcosmedampyeah.pages.dev/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"inst.govelopscold.com",
"https://feedback.ptv.vic.gov.au/360",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://brand.centurylinktechnology.com",
"https://prod.centurylinktechnology.com",
"https://brand2.centurylinktechnology.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"UPX_OEP_place",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ASP. NET",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"7box.vip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan.Tofsee/Botx",
"display_name": "Trojan.Tofsee/Botx",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "PWS:Win32/Axespec.A",
"display_name": "PWS:Win32/Axespec.A",
"target": "/malware/PWS:Win32/Axespec.A"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1439",
"name": "Eavesdrop on Insecure Network Communication",
"display_name": "T1439 - Eavesdrop on Insecure Network Communication"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1069.003",
"name": "Cloud Groups",
"display_name": "T1069.003 - Cloud Groups"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 102,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1929,
"domain": 854,
"hostname": 2156,
"URL": 4475,
"SSLCertFingerprint": 9,
"email": 7,
"CVE": 1
},
"indicator_count": 9592,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "48 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6967bc8b26b69d4dc2604a13",
"name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT",
"description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.",
"modified": "2026-02-13T15:04:30.631000",
"created": "2026-01-14T15:55:55.693000",
"tags": [
"v2rayalpha",
"united",
"unknown ns",
"unknown aaaa",
"domain add",
"urls",
"files",
"domain",
"github",
"file format",
"jkvpn",
"jointelegram",
"farahvpn vless",
"post",
"universal",
"scribd",
"typews",
"telegram",
"rdap",
"handle",
"iana registrar",
"roles",
"dnssec",
"aaaa",
"ttl value",
"rdap database",
"links",
"backdoor",
"antigua",
"virgin islands",
"status",
"org domains",
"proxy",
"ip address",
"barbuda unknown",
"passive dns",
"ipv4 add",
"twitter",
"dynamicloader",
"port",
"delete c",
"destination",
"high",
"windows",
"medium",
"displayname",
"write",
"tofsee",
"stream",
"malware",
"push",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"evasion att",
"sha256",
"sha1",
"pattern match",
"ascii text",
"href",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"search",
"moved",
"record value",
"servers",
"title",
"encrypt",
"canada unknown",
"gmt content",
"reverse dns",
"location canada",
"canada asn",
"accept",
"cookie",
"dll read",
"function read",
"wscriptshell",
"shortcut",
"guard",
"error",
"present jan",
"name servers",
"registrar url",
"hong kong",
"invalid url",
"url analysis",
"location hong",
"kong flag",
"msie",
"chrome",
"type",
"media type",
"certificate",
"hostname add",
"present nov",
"present sep",
"present oct",
"expiration date",
"present dec",
"script urls",
"a domains",
"present mar",
"present feb",
"meta",
"show",
"read c",
"entries",
"read",
"intel",
"ms windows",
"delete",
"please",
"artemis",
"virustotal",
"trojan",
"mcafee",
"drweb",
"vipre",
"panda",
"write c",
"total",
"next associated",
"thursday",
"gmt cache",
"ipv4",
"form",
"date",
"mirai",
"telnet login",
"south korea",
"bad login",
"as4766 korea",
"taiwan as3462",
"china as45090",
"telnet root",
"cve201717215",
"execution",
"copy",
"contacted",
"mtb ids",
"dns query",
"variant cnc",
"domain huawei",
"remote command",
"huawei remote",
"echobot",
"linux mirai",
"monitoring",
"cnc"
],
"references": [
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://t.me/",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Contacted: newmethcnc.duckdns.org",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"https://eurotarget.com/it/auto/toyota/c-hr/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Malware.Reline-9887776-0",
"display_name": "Win.Malware.Reline-9887776-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.N!MTB",
"display_name": "Backdoor:Linux/Mirai.N!MTB",
"target": "/malware/Backdoor:Linux/Mirai.N!MTB"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1399",
"name": "Modify Trusted Execution Environment",
"display_name": "T1399 - Modify Trusted Execution Environment"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1011.001",
"name": "Exfiltration Over Bluetooth",
"display_name": "T1011.001 - Exfiltration Over Bluetooth"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6227,
"domain": 1437,
"hostname": 2331,
"email": 8,
"FileHash-SHA256": 3252,
"FileHash-MD5": 465,
"FileHash-SHA1": 457,
"CIDR": 1,
"CVE": 3
},
"indicator_count": 14181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69612a0df518040b20932bef",
"name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store",
"description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]",
"modified": "2026-02-08T15:00:50.749000",
"created": "2026-01-09T16:17:17.632000",
"tags": [
"defense evasion",
"cor ta0011",
"techni process",
"application l",
"encrypted ch",
"christ jesus",
"just",
"final charge",
"timothy10",
"antioch",
"iconium",
"lystra",
"lord",
"holy scriptures",
"scripture",
"bible gateway",
"no expiration",
"expiration",
"a domains",
"present sep",
"united",
"present jun",
"meta",
"present oct",
"present aug",
"servers",
"title",
"data upload",
"extraction",
"palantir foundry",
"listeners",
"dev",
"redirects",
"redirect health",
"health data",
"utc google",
"utc na",
"script",
"utc amazon",
"bible",
"meta tags",
"read",
"bible reading",
"trackers google",
"anchor",
"analyse headers",
"contenttype",
"transferenco",
"connection",
"date fri",
"server",
"read c",
"as16509",
"rgba",
"unicode",
"execution",
"dock",
"write",
"persistence",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"moved",
"urls",
"pegasus",
"encrypt",
"script urls",
"record value",
"tls handshake",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"next",
"capture",
"malware",
"unknown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"access att",
"t1189 driveby",
"html",
"mitre att",
"ck matrix",
"ascii text",
"pattern match",
"et info",
"bad traffic",
"hybrid",
"general",
"local",
"path",
"click",
"adversaries",
"execution att",
"t1204 user",
"t1480 execution",
"null",
"refresh",
"span",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"timothy",
"search",
"tag manager",
"g8t6ln06z40",
"code",
"css",
"js",
"router",
"cloudfront",
"John 12:17",
"port",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"destination",
"loaderid",
"lidfileupd",
"stream"
],
"references": [
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"https://pegasus.pahamify.com/",
"aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com",
"equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com",
"usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/",
"https://inbound-message-listener-temporary-testing.palantirfoundry.com",
"https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com",
"https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/",
"http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a",
"https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com",
"John 12:17"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Bible Gateway",
"display_name": "Bible Gateway",
"target": null
},
{
"id": "Pahamify Pegasus",
"display_name": "Pahamify Pegasus",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6527,
"hostname": 2450,
"FileHash-SHA256": 1716,
"FileHash-MD5": 245,
"FileHash-SHA1": 134,
"domain": 1101,
"email": 3,
"SSLCertFingerprint": 8
},
"indicator_count": 12184,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "70 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6949930871afea435a774daa",
"name": "HomeASAP | Emotet CnC Activity - Bot Network",
"description": "https://HomeASAP.com is affected by Emotet CnC Activity. While I\u2019ve never heard of this app , I receive a tip re: infected devices I\u2019m currently researching and the infected search result from infected search engine. \n\nDevices infected with Pegasus and other more stealth than Pegasus, undetectable (for now) services. .",
"modified": "2026-01-21T18:00:43.637000",
"created": "2025-12-22T18:50:48.514000",
"tags": [
"per7cgvxw6k8m",
"right",
"left",
"zqwfztj",
"luptdaizzl",
"qchrk",
"brkzmji",
"igpsfvjnu",
"ibwavcm",
"uwlusjb",
"false",
"template",
"malware",
"win64",
"project",
"write",
"number",
"thu sep",
"yara detections",
"none alerts",
"contacted",
"less",
"related tags",
"title",
"emotet cnc activity",
"brian sabey",
"traps",
"christopher p. ahmann",
"united",
"czech republic",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"belgium belgium",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"ssl certificate",
"spawns",
"botnet",
"network",
"bad traffic",
"malicious email",
"pattern match",
"mitre att",
"show technique",
"ck matrix",
"ogoogle trust",
"file",
"show process",
"hybrid",
"general",
"local",
"path",
"encrypt",
"click",
"pe",
"executable"
],
"references": [
"https://about.homeasap.com",
"Bot network",
"\"vgkw.maillist-manage.com\" is probably a mail server",
"IDS Detections: Win32/Emotet CnC Activity (POST) M10",
"Suspicious EXE download from WordPress folder",
"PE EXE or DLL Windows file download HTTP",
"Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download EXE - Served Attached HTTP"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Doc.Trojan.Agent-9765752-0",
"display_name": "Doc.Trojan.Agent-9765752-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1087.003",
"name": "Email Account",
"display_name": "T1087.003 - Email Account"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1560,
"domain": 426,
"hostname": 655,
"FileHash-SHA1": 21,
"email": 1,
"FileHash-SHA256": 598,
"FileHash-MD5": 20,
"SSLCertFingerprint": 18,
"CVE": 2
},
"indicator_count": 3301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "87 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6940b852c28f2a2c6abb4aad",
"name": "FRITZ!Box \u2026.Connecting to Apple devices",
"description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.",
"modified": "2026-01-15T01:02:47.757000",
"created": "2025-12-16T01:39:30.381000",
"tags": [
"fritz",
"strong",
"main navigation",
"deutsch",
"englisch",
"funktionen der",
"verbindung zur",
"wifi",
"ip address",
"box avm",
"lowfi",
"win32",
"susp",
"urls",
"files",
"asn as44716",
"related tags",
"indicator facts",
"germany unknown",
"a domains",
"meta",
"typo3",
"body doctype",
"kasper skaarhoj",
"gmt server",
"pragma",
"a nxdomain",
"nxdomain",
"whitelisted",
"present aug",
"present jul",
"present oct",
"present jun",
"united",
"present sep",
"present nov",
"next http",
"scans show",
"title",
"div div",
"a li",
"wir suchen",
"li ul",
"avm karriere",
"dich a",
"reverse dns",
"berlin",
"germany asn",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"none related",
"passive dns",
"ipv4",
"url analysis",
"present dec",
"moved",
"certificate",
"vertriebs gmbh",
"aaaa",
"as12732 gutcon",
"domain",
"hostname",
"verdict",
"files ip",
"address",
"germany",
"as13335",
"as8220 colt",
"present may",
"united kingdom",
"regsetvalueexa",
"regdword",
"regbinary",
"show",
"yara detections",
"regsetvalueexw",
"regsz",
"medium",
"suspicious",
"delphi",
"malware",
"write",
"as6878",
"msie",
"chrome",
"gmt content",
"germany showing",
"createobject",
"set http",
"search",
"high",
"read c",
"et trojan",
"jfif",
"ascii text",
"detected",
"trojan generic",
"checkin",
"pony downloader",
"http library",
"virustotal",
"riskware",
"mcafee",
"drweb",
"vipre",
"trojan",
"panda",
"next",
"unknown",
"as15169 google",
"status",
"name servers",
"record value",
"emails",
"error",
"trojandropper",
"results dec",
"ddos",
"worm",
"mtb trojan",
"mtb apr",
"exev2e",
"ia256",
"extraction",
"get http",
"post http",
"learn",
"command",
"ck id",
"name tactics",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"germany germany",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"show technique",
"ck matrix",
"show process",
"network traffic",
"t1057",
"t1071",
"hybrid",
"local",
"path",
"t1204 user",
"defense evasion",
"t1480 execution",
"sha1",
"sha256",
"size",
"script",
"null",
"span",
"refresh",
"footer",
"body",
"june",
"general",
"click",
"strings",
"tools",
"tracker",
"code",
"look",
"verify",
"restart",
"bad traffic",
"et info",
"tls handshake",
"failure",
"process details",
"flag",
"link",
"present feb",
"servers",
"redacted for",
"as20546 soprado",
"encrypt",
"mtb sep",
"ransom",
"next associated",
"twitter",
"virtool",
"hostname add",
"location russia",
"as200350",
"russia unknown",
"federation flag",
"ipv4 add",
"asn as200350",
"related",
"domain add",
"unknown ns",
"expiration date",
"http version",
"windows nt",
"gbot",
"post method",
"port",
"destination",
"delete",
"get na",
"as15169",
"expiration",
"url https",
"no expiration",
"showing",
"entries",
"url add",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"unknown cname",
"cname",
"asn as24940",
"less",
"date",
"pulse submit"
],
"references": [
"https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |",
"https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1",
"AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US",
"Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA",
"Subject: DE Certificate Subject: Berlin Certificate Subject",
"https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d",
"http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com",
"https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud",
"ecs-80-158-49-8.reverse.open-telekom-cloud.com",
"http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne",
"HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba",
"Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet",
"Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0",
"Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft",
"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System",
"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114",
"ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114",
"ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114",
"ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114",
"http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box",
"http://netuser.joymeng.com/charge_apple/notify",
"https://www.passcreator.com/en/apple-wallet-passes",
"https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No",
"apple-business.cancom.at",
"Apple - 162.55.158.153",
"Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f",
"Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283",
"Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2",
"#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a",
"#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0",
"#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc",
"Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53",
"ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "#LowFi:Tool:Win32/VbsToExeV2E",
"display_name": "#LowFi:Tool:Win32/VbsToExeV2E",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Androp",
"display_name": "Androp",
"target": null
},
{
"id": "Inject.BRDV",
"display_name": "Inject.BRDV",
"target": null
},
{
"id": "Win32:Androp",
"display_name": "Win32:Androp",
"target": null
},
{
"id": "Crypt2.AZDI",
"display_name": "Crypt2.AZDI",
"target": null
},
{
"id": "TEL:MSIL/DlSocConSend",
"display_name": "TEL:MSIL/DlSocConSend",
"target": "/malware/TEL:MSIL/DlSocConSend"
},
{
"id": "DDOS:Linux/Lightaidra",
"display_name": "DDOS:Linux/Lightaidra",
"target": "/malware/DDOS:Linux/Lightaidra"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Trojan:Win32/Salgorea.C!MTB",
"display_name": "Trojan:Win32/Salgorea.C!MTB",
"target": "/malware/Trojan:Win32/Salgorea.C!MTB"
},
{
"id": "Worm:Win32/Autorun.XFV",
"display_name": "Worm:Win32/Autorun.XFV",
"target": "/malware/Worm:Win32/Autorun.XFV"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "Worm:Win32/Yuner.A",
"display_name": "Worm:Win32/Yuner.A",
"target": "/malware/Worm:Win32/Yuner.A"
},
{
"id": "Win.Trojan.Zegost",
"display_name": "Win.Trojan.Zegost",
"target": null
},
{
"id": "PWS:Win32/QQpass",
"display_name": "PWS:Win32/QQpass",
"target": "/malware/PWS:Win32/QQpass"
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Win.Trojan.Generic",
"display_name": "Win.Trojan.Generic",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win32/Trickler",
"display_name": "Win32/Trickler",
"target": null
},
{
"id": "Win.Malware.Hd0kzai-9985588-0",
"display_name": "Win.Malware.Hd0kzai-9985588-0",
"target": null
},
{
"id": "Trojan:Win32/Aenjaris.AL!bit",
"display_name": "Trojan:Win32/Aenjaris.AL!bit",
"target": "/malware/Trojan:Win32/Aenjaris.AL!bit"
},
{
"id": "Trojan:Win32/Agent.AG!MTB",
"display_name": "Trojan:Win32/Agent.AG!MTB",
"target": "/malware/Trojan:Win32/Agent.AG!MTB"
},
{
"id": "Trojan:Win32/Salgorea",
"display_name": "Trojan:Win32/Salgorea",
"target": "/malware/Trojan:Win32/Salgorea"
},
{
"id": "Win.Malware.Barys-6840738-0",
"display_name": "Win.Malware.Barys-6840738-0",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Trojan:Win32/EyeStye.T",
"display_name": "Trojan:Win32/EyeStye.T",
"target": "/malware/Trojan:Win32/EyeStye.T"
},
{
"id": "wormWin32/Mofksys.RND!MTB",
"display_name": "wormWin32/Mofksys.RND!MTB",
"target": null
},
{
"id": "TrojanDropper:Win32/VB.IL",
"display_name": "TrojanDropper:Win32/VB.IL",
"target": "/malware/TrojanDropper:Win32/VB.IL"
},
{
"id": "CVE 2007695",
"display_name": "CVE 2007695",
"target": null
}
],
"attack_ids": [
{
"id": "T1008",
"name": "Fallback Channels",
"display_name": "T1008 - Fallback Channels"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 927,
"hostname": 2093,
"FileHash-SHA256": 1474,
"URL": 5935,
"FileHash-MD5": 351,
"FileHash-SHA1": 252,
"email": 5,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11040,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "94 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693de4a8a72cf95b028365f0",
"name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee",
"description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets",
"modified": "2026-01-12T21:02:35.560000",
"created": "2025-12-13T22:11:52.474000",
"tags": [
"network",
"ip address",
"subnet",
"dynamicloader",
"port",
"destination",
"high",
"windows",
"united",
"write",
"tofsee",
"stream",
"win64",
"push",
"urls",
"url analysis",
"dnssec",
"script domains",
"encrypt",
"url add",
"http",
"related nids",
"flag united",
"germany",
"address google",
"passive dns",
"ipv4 add",
"files",
"asn as13335",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"location united",
"asn asnone",
"present dec",
"backdoor",
"lowfi",
"win32autoit mar",
"urls show",
"date checked",
"connection",
"httponly",
"secure",
"path",
"expiressat",
"dynamic cfray",
"medium",
"delete c",
"displayname",
"show",
"unknown",
"next",
"rndhex",
"malware",
"cname",
"next associated",
"url hostname",
"server response",
"google safe",
"read c",
"unicode",
"png image",
"rgba",
"memcommit",
"dock",
"execution",
"files location",
"china flag",
"china hostname",
"hostname",
"domain",
"files ip",
"address",
"asn as45102",
"gmt content",
"certificate",
"associated urls",
"location china",
"china asn",
"as4808 china",
"present aug",
"object",
"present apr",
"present oct",
"alman",
"present sep",
"error",
"present jul",
"rmndrp",
"present feb",
"expiration",
"url https",
"url http",
"iocs",
"review iocs",
"expireswed",
"samesitenone",
"maxage86400",
"maxage0",
"server",
"expires",
"victina nulcac",
"data upload",
"extraction",
"enter",
"enter source",
"url data",
"type",
"extract indic",
"included iocs",
"china unknown",
"botnet",
"folk in browser",
"japan unknown",
"asnone country",
"as13335",
"a domains",
"script urls",
"servers",
"title",
"moved",
"record value",
"entries",
"whitelisted",
"powershell",
"xf9xb5xf9",
"xxcexf6x8fr",
"k2xe7xcbxxeaxa2",
"x99x19",
"x88yxf9xc858",
"x83x12x8da",
"zx9bx8ex84",
"attempts",
"yara detections",
"contacted",
"tags none",
"file type",
"pe packer",
"dll compilation",
"guard",
"botnets"
],
"references": [
"https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet",
"x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )",
"foundry.neconsside.com \u2022 http://foundry.neconsside.com",
"http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside",
"IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America",
"Russian Federation",
"T\u00fcrkiye",
"Netherlands"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "HtBot",
"display_name": "HtBot",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1481",
"name": "Web Service",
"display_name": "T1481 - Web Service"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8145,
"domain": 1389,
"FileHash-SHA256": 1545,
"CIDR": 2,
"hostname": 2533,
"FileHash-MD5": 209,
"FileHash-SHA1": 190,
"email": 6,
"SSLCertFingerprint": 4
},
"indicator_count": 14023,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693b7dc3cf1996347652ef92",
"name": "Google Site Redirector - Tesla Hackers",
"description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.",
"modified": "2026-01-11T00:03:08.581000",
"created": "2025-12-12T02:28:19.107000",
"tags": [
"compromised_site_redirector_fromcharcode",
"site_redirector",
"string",
"regexp",
"error",
"number",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"write",
"form",
"flash",
"vd",
"tesla hackers",
"nxdomain",
"passive dns",
"ip address",
"domain",
"a nxdomain",
"urls",
"files",
"ip related",
"pulses otx",
"google",
"unknown",
"oracle",
"dynamicloader",
"medium",
"high",
"windows",
"rndhex",
"write c",
"rndchar",
"displayname",
"tofsee",
"yara rule",
"stream",
"strings",
"push",
"lte all",
"search otx",
"ource url",
"or text",
"paste",
"data upload",
"extraction",
"elon musk",
"indicator role",
"active related",
"ipv4",
"exploitsource",
"url https",
"url http",
"desktopinternet",
"title added",
"pulses ipv4",
"less see",
"ids detections",
"vuze bt",
"udp connection",
"contacted",
"filehash",
"av detections",
"yara detections",
"alerts",
"0x8aa42",
"0xe3107",
"upnp",
"http request",
"bittorrent",
"file",
"module load",
"t1129",
"post http",
"install",
"execution",
"malware",
"hostile",
"crawl",
"windows nt",
"wow64",
"get zona",
"get httpget",
"hash",
"entries",
"read c",
"suspicious",
"next",
"united"
],
"references": [
"Tesla Hackers | https://www.teslarati.com/spacex",
"Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint",
"142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source",
"IDS Detections Win32/ZonaInstaller Install Beacon",
"https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\",
"https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=",
"https://www.google-analytics.com/debug/bootstrap?id=\\",
"https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga",
"https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022",
"https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=",
"This is why our team tells a back story. It can and does happen to anyone.",
"We apologize for so may typos and errors. We strive to do better at that."
],
"public": 1,
"adversary": "Tesla Hackers",
"targeted_countries": [],
"malware_families": [
{
"id": "Vd",
"display_name": "Vd",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Trojan.12382640-1",
"display_name": "Win.Trojan.12382640-1",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 65,
"FileHash-SHA1": 34,
"FileHash-SHA256": 2032,
"URL": 4921,
"domain": 567,
"hostname": 1586,
"SSLCertFingerprint": 4
},
"indicator_count": 9209,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "98 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6939d93da11a7d2bf7535ef1",
"name": "Tesla Hackers Log In | Disqus",
"description": "I\u2019m not for certain when blog \u2018https://pickyhot.disqus.com/tsara-brashears\u2019 first appeared online. It was present in 2016 -2021. It was a porn spewing blog that obviously was full of tools. The lot pics debated targets race , beauty and other silly things. I don\u2019t know if target ever clicked on links. Tesla Hackers have played a major role in attacks against target. I haven\u2019t sifted through all malware yet. \n\n\n - Elon Musk - When Brashears suffered attempted hit on roadway she described suspect as an Elon Musk type, possible, offspring, or someone closely tied to him.",
"modified": "2026-01-09T19:02:12.608000",
"created": "2025-12-10T20:34:05.903000",
"tags": [
"disqus",
"disqus.com",
"comments",
"blog",
"blogs",
"discussion",
"google facebook",
"twitter",
"microsoft apple",
"email",
"forgot password",
"login",
"sign",
"general full",
"url https",
"security tls",
"united",
"asn54113",
"fastly",
"reverse dns",
"resource",
"hash",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"network traffic",
"t1057",
"path",
"learn",
"command",
"suspicious",
"informative",
"name tactics",
"spawns",
"t1480 execution",
"signing defense",
"file defense",
"read c",
"tlsv1",
"search",
"jfif",
"ijg jpeg",
"tls handshake",
"failure",
"show",
"port",
"execution",
"next",
"dock",
"write",
"persistence",
"malware",
"unknown",
"waymo",
"tesla",
"musk",
"austin",
"bay area",
"tesla ceo",
"elon musk",
"wednesday",
"safety monitor",
"synacktiv",
"aaaa",
"present jul",
"status",
"asnone country",
"as13335",
"present sep",
"present apr",
"present dec",
"present jun",
"lte all",
"search otx",
"additionally",
"enter source",
"url or",
"data upload",
"extraction",
"entries",
"present may",
"dynamicloader",
"as15169",
"medium",
"write c",
"odigicert inc",
"windows",
"as54113",
"worm",
"copy",
"explorer",
"encrypt",
"target tsraa brashears"
],
"references": [
"http://pickyhot.disqus.com/",
"https://www.teslarati.com/tesla-hackers",
"https://pickyhot.disqus.com/tsara-brashears",
"All tags auto populated including\u2019 Elon Musk\u2019",
"Running webserver Running WordPress Running Drupal",
"bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou",
"https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org",
"https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"www.endgame.com",
"://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com",
"https://www.endgames.us \u2022 https://www.endgames.us/",
"wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com",
"https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com",
"https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com",
"http://www.endgamesystems.com/",
"http://wg41xm05b3.endgamesystems.com/",
"http://www.endgamesystems.com/",
"Requires further research"
],
"public": 1,
"adversary": "Tesla Hackers",
"targeted_countries": [],
"malware_families": [
{
"id": "Synacktiv",
"display_name": "Synacktiv",
"target": null
},
{
"id": "Tesla Hackers",
"display_name": "Tesla Hackers",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Mofksys",
"display_name": "Mofksys",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2523,
"URL": 6583,
"FileHash-SHA256": 1132,
"domain": 1483,
"FileHash-SHA1": 43,
"SSLCertFingerprint": 17,
"FileHash-MD5": 109,
"email": 2
},
"indicator_count": 11892,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "99 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693596f8cd50958de6e9415c",
"name": "Eternal Blue Probe - YouTube - GSE",
"description": "EternalBlue is an exploit that targets a critical vulnerability (CVE-2017-0144, part of the larger MS17-010 security bulletin) in Microsoft's implementation of the Server Message Block (SMB) version 1 (SMBv1) protocol, which is used for file and printer sharing on Windows networks. \nVulnerability: The flaw allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system by sending specially crafted packets to the SMBv1 server.\nOrigin: The exploit was developed by the NSA but was stolen and publicly leaked in April 2017 by a hacker group known as the Shadow Brokers.\nMajor Attacks: Shortly after its leak, EternalBlue was used in major, widespread cyberattacks, most notably the WannaCry and NotPetya ransomware outbreaks, which caused massive global disruption. The self-propagating \"wormable\" nature of the exploit allowed malware to spread rapidly across networks.",
"modified": "2026-01-06T00:03:32.099000",
"created": "2025-12-07T15:02:16.840000",
"tags": [
"asn as8068",
"cloud provider",
"reverse dns",
"america flag",
"united",
"america asn",
"as8068",
"united states",
"avast avg",
"ids detections",
"yara detections",
"probe ms17010",
"smbds ipc",
"av detections",
"alerts",
"read c",
"medium",
"rgba",
"unicode",
"msf style",
"dock",
"write",
"execution",
"malware",
"eternal blue",
"check in",
"file score",
"medium risk",
"generic flags",
"ms17010",
"none alerts",
"less ip",
"contacted",
"matches",
"mirroring",
"chromeshorts",
"gse",
"google",
"youtube",
"dating apps",
"suspicious apps",
"search engine",
"redirect",
"eternalblue"
],
"references": [
"chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access",
"Environment Awareness : Able to access user sensitive domai",
"Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval",
"Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities",
"Alerts : recono_fingerprint antivm_memory_available",
"www.endgame.com",
"admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com",
"URL https://mailcatcher.qa2.white-label-dating.com",
"Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.",
"Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.",
"Suspicious apps"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 449,
"FileHash-MD5": 26,
"FileHash-SHA1": 6,
"FileHash-SHA256": 169,
"URL": 719,
"domain": 86,
"SSLCertFingerprint": 1
},
"indicator_count": 1456,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "692e2d950ac7d1e2a3454a4f",
"name": "Gooogle Accounts | Drive-by Compromise \u2022 Ransomware \u2022 Phishing Attack",
"description": "Google accounts Drive-by Compromise. Affected Google accounts redirects to a suspicious non - Google homepage. |\nRansomware | Adware | Phishing | Injection | \nExploits seen affecting both OS and iOS devices. Threat actors able to remotely access iOS device, unlock, access iCloud. System root control, fully infected devices, Attackers continue to ravage devices w/ drive by compromise, unsafe adware, malware text, etc., Seeks to remove malicious IoC\u2019s on mock accounts , password stealers",
"modified": "2025-12-31T23:04:59.378000",
"created": "2025-12-02T00:06:45.807000",
"tags": [
"iocs",
"drop",
"network traffic",
"ck id",
"mitre att",
"ck matrix",
"network related",
"detected",
"t1566",
"t1204",
"united",
"click",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"learn",
"suspicious",
"informative",
"name tactics",
"adversaries",
"command",
"initial access",
"spawns",
"found",
"binary file",
"t1189",
"regsetvalueexa",
"regdword",
"post http",
"medium",
"high",
"regbinary",
"loader",
"dock",
"write",
"malware",
"unknown",
"romania unknown",
"present may",
"msie",
"chrome",
"body",
"passive dns",
"ip address",
"present jun",
"welcome",
"accept",
"encrypt",
"gmt content",
"ipv4 add",
"url analysis",
"urls",
"files",
"reverse dns",
"unknown aaaa",
"certificate",
"hostname add",
"error",
"flag",
"domain address",
"contacted hosts",
"type",
"india unknown",
"record value",
"body html",
"head title",
"title",
"entries",
"read c",
"high defense",
"evasion",
"yara detections",
"virtool",
"win32",
"ahmann",
"hacker group",
"law firm",
"order",
"google",
"smart assembly"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "VirTool:MSIL/Injector.BF",
"display_name": "VirTool:MSIL/Injector.BF",
"target": "/malware/VirTool:MSIL/Injector.BF"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1087.003",
"name": "Email Account",
"display_name": "T1087.003 - Email Account"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 115,
"FileHash-SHA1": 112,
"FileHash-SHA256": 589,
"URL": 1795,
"SSLCertFingerprint": 3,
"domain": 319,
"hostname": 847,
"email": 1
},
"indicator_count": 3781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6916dc43beba2f3839fd7c36",
"name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com",
"description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix",
"modified": "2025-12-14T05:04:31.480000",
"created": "2025-11-14T07:37:39.794000",
"tags": [
"gmt content",
"related tags",
"found title",
"cache control",
"x request",
"runtime",
"vary",
"reverse dns",
"ashburn",
"resource",
"verdict",
"address",
"read c",
"unicode",
"high",
"memcommit",
"delete",
"dock",
"write",
"execution",
"next associated",
"server response",
"port",
"destination",
"crlf line",
"malware",
"png image",
"rgba",
"united states",
"medium",
"encrypt",
"america",
"msie",
"unknown",
"present jan",
"name servers",
"present oct",
"present may",
"present mar",
"present dec",
"present nov",
"united",
"present apr",
"present jun",
"urls show",
"url hostname",
"ip address",
"google safe",
"results jun",
"canada unknown",
"passive dns",
"canada",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"twitter",
"chrome",
"urls",
"files",
"asn as13335",
"dns resolutions",
"trojan",
"trojanspy",
"win32",
"title",
"servers",
"unknown ns",
"domain",
"present aug",
"present sep",
"files domain",
"files related",
"none google",
"safe browsing",
"unknown aaaa",
"moved",
"cloudfront x",
"meta",
"ip whois",
"registrar",
"hostname",
"files ip",
"ipv4 add",
"location united",
"america flag",
"america asn",
"present jul",
"virtool",
"record value",
"dnssec",
"meta http",
"content",
"gmt server",
"litespeed x",
"present feb",
"write c",
"as62597 nsone",
"as16509",
"module load",
"t1129",
"service",
"dynamicloader",
"windows",
"tofsee",
"stream",
"hostile",
"win64",
"delete c",
"all ipv4",
"url analysis",
"status",
"error",
"aaaa",
"ireland unknown",
"asn as14618",
"backdoor",
"a domains",
"russia",
"mtb nov",
"ransom",
"displayname",
"push",
"yara rule",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"rndchar",
"checks",
"checks system",
"filehash",
"av detections",
"ids detections",
"yara detections",
"learn",
"command",
"adversaries",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"found",
"ssl certificate",
"flag",
"server",
"cloudflare",
"csc corporate",
"domains",
"fireeye",
"contacted hosts",
"mitre att",
"pattern match",
"ck matrix",
"hybrid",
"local",
"path",
"click",
"strings",
"foundry",
"josht.ca",
"paid parking",
"parking crews"
],
"references": [
"Fireye - FEDNS1.FIREEYE.COM",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"https://p2d.josht.ca/api/depots/info/?depot=",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"and our limited information, is Daisy a victim or a crisis actor?",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7617,
"domain": 1127,
"hostname": 3591,
"email": 9,
"FileHash-SHA256": 1160,
"FileHash-MD5": 481,
"FileHash-SHA1": 404,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 14403,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69138421066f81131da59cc5",
"name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ",
"description": "",
"modified": "2025-12-03T00:01:23.660000",
"created": "2025-11-11T18:44:49.343000",
"tags": [
"status",
"date",
"name servers",
"lowfi",
"passive dns",
"urls",
"domain",
"susp",
"win32",
"search",
"win64",
"error",
"url https",
"url http",
"ipv4",
"type indicator",
"role title",
"added active",
"related pulses",
"morocco",
"united kingdom",
"united",
"present nov",
"aaaa",
"present oct",
"cname",
"brazil",
"malaysia",
"title",
"present jun",
"ip address",
"creation date",
"record value",
"emails",
"unknown aaaa",
"body",
"url add",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"trojan",
"trojandropper",
"virtool",
"entries",
"next associated",
"ipv4 add",
"unknown ns",
"present jul",
"present sep",
"present aug",
"win32upatre nov",
"candyopen",
"tlsv1",
"port",
"destination",
"ogoogle trust",
"cngts ca",
"show",
"read c",
"youtube",
"copy",
"dock",
"write",
"next",
"malware",
"persistence",
"execution",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"germany",
"poland",
"indicator role",
"title added",
"active related",
"pulses url",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6907f7e98289b75f3e5ecaba",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 400,
"URL": 2857,
"FileHash-MD5": 217,
"FileHash-SHA1": 172,
"FileHash-SHA256": 1426,
"email": 6,
"hostname": 1019,
"SSLCertFingerprint": 6
},
"indicator_count": 6103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "137 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6907f7e98289b75f3e5ecaba",
"name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet",
"description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices",
"modified": "2025-12-03T00:01:23.660000",
"created": "2025-11-03T00:31:37.396000",
"tags": [
"status",
"date",
"name servers",
"lowfi",
"passive dns",
"urls",
"domain",
"susp",
"win32",
"search",
"win64",
"error",
"url https",
"url http",
"ipv4",
"type indicator",
"role title",
"added active",
"related pulses",
"morocco",
"united kingdom",
"united",
"present nov",
"aaaa",
"present oct",
"cname",
"brazil",
"malaysia",
"title",
"present jun",
"ip address",
"creation date",
"record value",
"emails",
"unknown aaaa",
"body",
"url add",
"pulse pulses",
"http",
"related nids",
"files location",
"flag united",
"trojan",
"trojandropper",
"virtool",
"entries",
"next associated",
"ipv4 add",
"unknown ns",
"present jul",
"present sep",
"present aug",
"win32upatre nov",
"candyopen",
"tlsv1",
"port",
"destination",
"ogoogle trust",
"cngts ca",
"show",
"read c",
"youtube",
"copy",
"dock",
"write",
"next",
"malware",
"persistence",
"execution",
"filehashmd5",
"hostname",
"filehashsha256",
"types of",
"germany",
"poland",
"indicator role",
"title added",
"active related",
"pulses url",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 400,
"URL": 2857,
"FileHash-MD5": 217,
"FileHash-SHA1": 172,
"FileHash-SHA256": 1426,
"email": 6,
"hostname": 1019,
"SSLCertFingerprint": 6
},
"indicator_count": 6103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "137 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69069167e1e2a222bd7762f2",
"name": "Palantir - Spyware",
"description": "",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-11-01T23:01:59.339000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": "68f9a1ef2dd26ec62a3c298c",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 57,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9a6f4e35193c04401daaf",
"name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians",
"description": "",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-10-23T03:54:28.671000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": "68f9a1ef2dd26ec62a3c298c",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9a1ef2dd26ec62a3c298c",
"name": "Listeners - Malicious Over the top espionage | Cyber Warfare?",
"description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com",
"modified": "2025-11-22T00:01:42.464000",
"created": "2025-10-23T03:33:03.315000",
"tags": [
"url https",
"url http",
"hostname",
"mulweli",
"mphomafmulweli",
"indicator role",
"ipv4",
"type indicator",
"added active",
"related pulses",
"united",
"envoy error",
"certificate",
"urls",
"emails",
"active related",
"africa",
"span",
"gmt server",
"colorado",
"denver",
"palantir",
"listen",
"listen linda",
"linda listen",
"listeners @ dantesdragon",
"palantir",
"all y",
"se referen",
"data upload",
"extraction",
"extra",
"referen data",
"overview domain",
"passive dns",
"files ip",
"address",
"asn asnone",
"as14618",
"all se",
"include review",
"exclude sugges",
"failed",
"typo",
"status",
"search",
"record value",
"server",
"domain status",
"key identifier",
"x509v3 subject",
"full name",
"registrar abuse",
"registrar",
"data",
"v3 serial",
"code",
"number",
"cus odigicert",
"inc cndigicert",
"global g2",
"tls rsa",
"sha256",
"united states",
"power query",
"microsoft learn",
"ordenar por",
"foundry",
"input",
"blocked",
"error id",
"conector",
"por ejemplo",
"sensitive",
"quickstart",
"present aug",
"present oct",
"unknown ns",
"showing",
"present sep",
"moved",
"title",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"asnone dns",
"resolutions",
"dga domain",
"ipv4 add",
"url analysis",
"name servers",
"div div",
"expiration date",
"page",
"present nov",
"present jan",
"present dec",
"present mar",
"present feb",
"virtool",
"cryp",
"error",
"win32",
"domain",
"ip address",
"domain add",
"next associated",
"pulse pulses",
"ashburn",
"extr referen",
"exclude",
"sugges",
"pulse submit",
"date",
"present jul",
"present jun",
"fastly error",
"please",
"handle",
"entity",
"record type",
"ttl value",
"msms93992282",
"read c",
"show",
"medium",
"tlsv1",
"whitelisted",
"module load",
"t1129",
"execution",
"dock",
"write",
"persistence",
"next",
"unknown",
"connector",
"cybercrime",
"harassment"
],
"references": [
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy."
],
"public": 1,
"adversary": "Quickstart",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Multiple Malware Attack",
"display_name": "Multiple Malware Attack",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1027.005",
"name": "Indicator Removal from Tools",
"display_name": "T1027.005 - Indicator Removal from Tools"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1132.002",
"name": "Non-Standard Encoding",
"display_name": "T1132.002 - Non-Standard Encoding"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
}
],
"industries": [
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2865,
"URL": 5728,
"email": 11,
"FileHash-MD5": 91,
"FileHash-SHA1": 75,
"FileHash-SHA256": 1713,
"domain": 1193,
"CVE": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 11679,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 180,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f93b1cebf80f48450bd517",
"name": "Yuner - File deletion and Disk Wiping / Cyberstalking ",
"description": "",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T20:14:20.632000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": "68f9288e0d98f3b44c2cb90c",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "148 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f80aa152fdd795fa008e2e",
"name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices",
"description": "",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-21T22:35:13.128000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68f5cfa9b74d6faa43eb6585",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68f5cfa9b74d6faa43eb6585",
"name": "Indicator Removal service affecting Threat Hunters | Brian Sabey",
"description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-20T05:59:04.173000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff0848071708f9ee0c0bd",
"name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3",
"description": "",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T19:05:40.466000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": "68efee5ba882db423d3bad8f",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68efee5ba882db423d3bad8f",
"name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic",
"description": "",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T18:56:27.950000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": "68efedf37890e1b32d60eb55",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68efedf37890e1b32d60eb55",
"name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me",
"description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T18:54:43.205000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e32dd0c55bf224eb99dd58",
"name": "Appspot.com - Google account fraud & infostealing",
"description": "Fake Google email accounts. I\u2019ve reviewed a handful of targets with this issue. If starting with a new device, signed up for a new google account,\nthe users are automatically logged out, forced to sign in again, checked security features where you can see an unauthorized autonomous general\nphone, or iPhone or MacBook was also signed in in a different location. Even if you delete the device or email account, I\u2019ve seen the intruder handle CnC of all backups of photos and clouds. \n\n\n\n[OTX auto populated - The full list of domain names: APPSPot.COM.com, which was created on the same day as the Google search engine, has been published by the internet regulator, the IANA.]",
"modified": "2025-11-05T01:01:26.928000",
"created": "2025-10-06T02:47:44.098000",
"tags": [
"aaaa",
"susp",
"trojan",
"google",
"server",
"domain status",
"registrar abuse",
"domain name",
"us registrant",
"email",
"contact email",
"rdap database",
"google app",
"google hosted",
"please",
"vulnerabilities",
"join",
"bring",
"api explorer",
"engine",
"admin sdk",
"info",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"ssl certificate",
"ascii text",
"united",
"pattern match",
"mitre att",
"general",
"local",
"path",
"click",
"strings",
"porn",
"phishing",
"fraud",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"download",
"apt",
"ansi",
"dumps",
"file string",
"seen",
"disabled hash",
"close",
"hosts",
"contact",
"tellwise",
"passive dns",
"urls",
"pulse pulses",
"files",
"verdict",
"domain",
"files ip",
"address",
"location united",
"asn as15169",
"extraction",
"data upload",
"extra",
"referen http",
"changed data",
"failed",
"include review",
"t07 exclude",
"extri data",
"changed",
"exclude",
"find s",
"tvnes data",
"status",
"present nov",
"name servers",
"entries",
"geoid no",
"present dec",
"date",
"error",
"title",
"sugges",
"typ no",
"no entrieotound",
"scam",
"foundry",
"sabey type",
"denver",
"quasi",
"phoenix",
"australia"
],
"references": [
"appspot.com \u2022 hyper7install.appspot.com",
"https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786",
"http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210",
"Changed last several digits of gmail account # In example",
"http://console.cloud.google.com/appengine",
"https://310940000.android.com.twitter.android.adsenseformobileapps.com/",
"https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc",
"device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21",
"116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com",
"jaycobundaberg.eclipseaurahub.com.au 192.168.0.21",
"grafana.ledocloud.com\u2022 192.168.0.21",
"192-168-0-21.siliconevalley1.direct.quickconnect.to"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32/Madang",
"display_name": "Win32/Madang",
"target": null
},
{
"id": "Win.Downloader.Small-1966",
"display_name": "Win.Downloader.Small-1966",
"target": null
},
{
"id": "Win32:SaliCode",
"display_name": "Win32:SaliCode",
"target": null
},
{
"id": "Virtool:Win32/Vbinder.CO",
"display_name": "Virtool:Win32/Vbinder.CO",
"target": "/malware/Virtool:Win32/Vbinder.CO"
},
{
"id": "!Themida",
"display_name": "!Themida",
"target": null
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "Win32/Scrarev.C",
"display_name": "Win32/Scrarev.C",
"target": null
},
{
"id": "Trojan:MSIL/RapidStealer.A",
"display_name": "Trojan:MSIL/RapidStealer.A",
"target": "/malware/Trojan:MSIL/RapidStealer.A"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 222,
"FileHash-MD5": 146,
"FileHash-SHA1": 317,
"FileHash-SHA256": 1120,
"email": 3,
"hostname": 881,
"URL": 1338,
"SSLCertFingerprint": 7
},
"indicator_count": 4034,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "165 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dd9423f9208dcc8701e12e",
"name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic",
"description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting",
"modified": "2025-10-31T19:03:21.338000",
"created": "2025-10-01T20:50:43.002000",
"tags": [
"iocs",
"logo",
"passive dns",
"related tags",
"none google",
"ipv4",
"gogle",
"twitter",
"x.com",
"ransomware",
"fbi \u2019site\u2019",
"python",
"cloud",
"regopenkeyexw",
"read c",
"port",
"destination",
"cryptexportkey",
"count read",
"tor get",
"malware",
"write",
"format",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"country",
"postal code",
"organization",
"date",
"email",
"code",
"aaaa",
"value a",
"key identifier",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"cnwe1 validity",
"subject public",
"key info",
"key algorithm",
"ec oid",
"maktub",
"cnc",
"python-projekt",
"x post",
"link",
"android",
"iphone",
"google",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"ssl certificate",
"spawns",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"size",
"mitre att",
"show technique",
"ck matrix",
"title",
"path",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"body"
],
"references": [
"FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm",
"Entity CLOUD14",
"CLOUDFLARENET - 104.16.148.244 , 104.19.148.244",
"https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2",
"https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05",
"Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me",
"Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval",
"Tor Get Server Request \u2022 TLS Handshake Failure High Priority",
"Yara Detections: stack_string Alerts: dead_host",
"Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http",
"Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters",
"Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Code Virus Ransomware",
"display_name": "Code Virus Ransomware",
"target": null
},
{
"id": "AVAST- Win32:Filecoder-AD\\ [Trj]",
"display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]",
"target": null
},
{
"id": "CLAMAV - Win.Malware.Cabby-6803812",
"display_name": "CLAMAV - Win.Malware.Cabby-6803812",
"target": null
},
{
"id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn",
"display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn",
"target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn"
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 574,
"domain": 147,
"FileHash-MD5": 156,
"FileHash-SHA1": 130,
"FileHash-SHA256": 539,
"URL": 982,
"SSLCertFingerprint": 4,
"email": 2
},
"indicator_count": 2534,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "169 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68bbdb22e3d606ae8fb5cda8",
"name": "HCPF | Department of Health Care Policy and Financing",
"description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir",
"modified": "2025-10-06T05:01:18.794000",
"created": "2025-09-06T06:56:34.649000",
"tags": [
"federal changes",
"health first",
"colorado",
"child health",
"plan plus",
"newimpact",
"medicaidour",
"impact",
"medicaid page",
"medicaid",
"beware",
"text/html",
"trackers",
"iframes",
"external-resources",
"new relic",
"g1gv3h3sxc0",
"utc gcw970gh4gg",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"no expiration",
"url https",
"type indicator",
"role title",
"related pulses",
"hostname https",
"m4e5930",
"hostname",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"search",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"urls",
"title",
"date",
"resolved ips",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"endgame systems"
],
"references": [
"Researched: https://hcpf.colorado.gov/",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"millet-usgc-1.palantirfedstart.com",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"https://passwords.google/?utm_medium=hpp&utm",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"Researched publicly available information provided by representative of a target\u2019s estate",
"System has placed affected on multiple policies cancelling private policy without notice.",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [
"Hospitality",
"Financial",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1395,
"URL": 4304,
"CVE": 1,
"domain": 694,
"FileHash-SHA256": 1790,
"FileHash-MD5": 183,
"FileHash-SHA1": 103,
"SSLCertFingerprint": 5
},
"indicator_count": 8475,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68dd98104b4b93bdd18ee7f0",
"name": "Develop , Monitor. Deploy (devices)",
"description": "I haven\u2019t done research so I can\u2019t imagine.",
"modified": "2025-10-01T21:07:28.002000",
"created": "2025-10-01T21:07:28.002000",
"tags": [
"url https",
"url http",
"indicator role",
"title added",
"active related",
"pulses",
"type indicator",
"role title",
"added active",
"related pulses",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 261,
"domain": 15,
"hostname": 249
},
"indicator_count": 525,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "199 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68ae5b9ef87646927a236b61",
"name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry",
"description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems",
"modified": "2025-09-26T00:01:12.214000",
"created": "2025-08-27T01:13:02.780000",
"tags": [
"google",
"mullvad browser",
"value",
"incognito mode",
"mine",
"unix time",
"friday",
"january",
"does",
"tor browser",
"search",
"show",
"langchinese",
"packing t1045",
"t1045",
"medium",
"pe resource",
"module load",
"t1129",
"service",
"trojan",
"copy",
"dock",
"write",
"malware",
"clock",
"united",
"passive dns",
"urls",
"next associated",
"gmt cache",
"ipv4 add",
"pulse pulses",
"files",
"reverse dns",
"win32",
"title",
"location united",
"america flag",
"america asn",
"as15169 google",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"present aug",
"china unknown",
"creation date",
"date",
"domain",
"ip address",
"domain name",
"expiration date",
"status ok",
"nanjing",
"accept",
"body",
"div td",
"td tr",
"div div",
"span span",
"a li",
"span p",
"p div",
"moved",
"a domains",
"open",
"span",
"uuupupu",
"t1055",
"process32nextw",
"high",
"windows",
"high defense",
"evasion",
"delphi",
"google gmail",
"images sign",
"advanced search",
"solutions",
"privacy",
"store gmail",
"delete delete",
"report",
"how search",
"applying ai",
"settings search",
"advanced",
"search search",
"search help",
"domainabuse",
"showing",
"hostname add",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses none",
"related tags",
"read c",
"tlsv1",
"whitelisted",
"port",
"destination",
"ascii text",
"next",
"encrypt",
"script urls",
"msie",
"chrome",
"bad gateway",
"script domains",
"present feb",
"link",
"meta",
"digital",
"language",
"body doctype",
"ghost",
"present jun",
"aaaa",
"present jul",
"present oct",
"record value",
"yara detections",
"dock zone",
"top source",
"top destination",
"source source",
"filehash",
"code",
"error",
"windows nt",
"wow64",
"slcc2",
"media center",
"execution",
"persistence",
"tulach",
"brian sabey",
"dod network",
"orgtechref",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity dnic",
"handle",
"whois lookup",
"dod",
"et trojan",
"server header",
"suspicious",
"et info",
"unknown",
"virustotal",
"specified",
"download",
"et",
"please",
"type size",
"first seen",
"loading",
"python wheel",
"dynamicloader",
"intel",
"ms windows",
"pe32",
"entries",
"user agent",
"powershell",
"agent",
"yara rule",
"checks",
"levelblue",
"open threat",
"observed dns",
"query",
"dns lookup",
"msdos",
"wannacry dns",
"lookup",
"wannacry",
"worm",
"explorer",
"msil",
"darkcomet",
"ping",
"tools",
"capture",
"hallrender",
"dga domains",
"unfurl sites",
"honey net",
"bot",
"nxdomain",
"potential-c2"
],
"references": [
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"DoD Network Information Center (DNIC)",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"Python Wheel package",
"https://www.google.com/search",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Magania.DSK!MTB",
"display_name": "Trojan:Win32/Magania.DSK!MTB",
"target": "/malware/Trojan:Win32/Magania.DSK!MTB"
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "a variant of Win32/Kryptik.DEOA",
"display_name": "a variant of Win32/Kryptik.DEOA",
"target": null
},
{
"id": "ALF:Exploit:Win32/gSharedInfoRef.A",
"display_name": "ALF:Exploit:Win32/gSharedInfoRef.A",
"target": null
},
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian"
],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8221,
"domain": 1216,
"FileHash-SHA256": 2434,
"FileHash-MD5": 296,
"FileHash-SHA1": 155,
"hostname": 2939,
"email": 7,
"SSLCertFingerprint": 8,
"CIDR": 2
},
"indicator_count": 15278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "205 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "689b9b9fab42ca4f016a226f",
"name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)",
"description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +",
"modified": "2025-09-11T13:03:18.814000",
"created": "2025-08-12T19:53:03.953000",
"tags": [
"url http",
"url https",
"indicator role",
"title added",
"active related",
"pulses url",
"entries",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"href",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"show technique",
"ck matrix",
"null",
"refresh",
"body",
"span",
"general",
"local",
"path",
"iframe",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"united",
"unknown ns",
"ip address",
"creation date",
"search",
"present sep",
"moved",
"domain add",
"encrypt",
"accept",
"please",
"passive dns",
"msie",
"next associated",
"html",
"background",
"unknown site",
"div div",
"trojan",
"zeus",
"process32nextw",
"read c",
"show",
"shellexecuteexw",
"windows nt",
"wow64",
"copy",
"dock",
"write",
"malware",
"unknown",
"defense evasion",
"t1480 execution",
"file defense",
"august",
"hybrid",
"port",
"destination",
"tlsv1",
"as15169",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"persistence",
"data upload",
"extraction",
"win32",
"ransom",
"trojandropper",
"mtb nov",
"forcud",
"files show",
"date hash",
"avast avg"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4179,
"domain": 774,
"hostname": 1673,
"FileHash-MD5": 169,
"FileHash-SHA1": 110,
"FileHash-SHA256": 2073,
"email": 1,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 8993,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "220 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68958d96a43dd0d3b5a65220",
"name": "Mirai Communication Networks Inc",
"description": "BGP Mirai Communication Networks Inc. May be used for Red Hat activities considered enterprise open source solutions. Used for adversarial motives. Abuse.\nResearched a device-local-**********.remotewd.com found in last residential community a monitored target lived.",
"modified": "2025-09-07T05:03:49.633000",
"created": "2025-08-08T05:39:34.315000",
"tags": [
"united",
"unknown ns",
"moved",
"passive dns",
"ip address",
"cloudfront x",
"hio50 c1",
"a domains",
"domains",
"meta",
"mirai",
"apache",
"url hostname",
"server response",
"google safe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"command",
"found",
"mitre att",
"ck techniques",
"sha256",
"sha1",
"ascii text",
"pattern match",
"size",
"null",
"refresh",
"body",
"span",
"august",
"hybrid",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"defense evasion",
"t1480 execution",
"file defense",
"show technique",
"ck matrix",
"adversaries",
"general",
"starfield",
"iframe",
"onload",
"status",
"urls",
"domain",
"name servers",
"hostname",
"files",
"files ip",
"certificate",
"urls show",
"results aug",
"entries",
"show process",
"utf8",
"crlf line",
"network traffic",
"title error",
"next associated",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"meta http",
"equiv content",
"win32",
"trojan",
"servers",
"search",
"whois show",
"record value",
"emails",
"name legal",
"department name",
"address po",
"city seattle",
"present oct",
"present jul",
"present dec",
"present aug",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"external",
"data upload",
"extraction",
"include review",
"exclude sugges",
"uny inuuue",
"find s",
"extr",
"typ dom",
"failed",
"extri data",
"mirai meta",
"japan unknown",
"miraipcok meta",
"overview ip",
"address",
"location united",
"asn as15169",
"nameservers",
"less whois",
"registrar",
"overview domain",
"address domain",
"ip whois",
"title",
"create c",
"read c",
"delete",
"write",
"medium",
"create",
"showing",
"rgba",
"next",
"dock",
"execution",
"malware",
"sqlite rollback",
"jfif",
"journal",
"regsetvalueexa",
"ascii",
"regdword",
"baidu",
"url add",
"http",
"related nids",
"files location",
"flag united",
"redacted for",
"unknown aaaa",
"hostname add",
"url analysis",
"encrypt",
"date",
"germany unknown",
"ascio",
"creation date",
"alfper",
"ipv4 add",
"reverse dns",
"mozilla",
"set spray",
"pty ltd",
"date checked",
"present jun",
"present nov",
"present may",
"present mar",
"present sep",
"present jan",
"for privacy",
"lngen",
"ransom",
"virtool",
"exploit",
"as133618",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"related pulses",
"asn as133618",
"whois registrar",
"ietfdtd html",
"gmt server",
"debian",
"dynamicloader",
"unknown",
"feat",
"query",
"installer",
"results oct",
"results jan",
"aaaa",
"tlsv1",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"lowfi",
"urlshortner aug",
"urlshortner jul",
"urlshortner",
"write c",
"high",
"et exploit",
"probe ms17010",
"f codeoverlap",
"copy",
"contacted",
"w3wwhb",
"svwjh5dd u",
"uv5b usvwu",
"f us3v9",
"cu codeoverlap",
"filehash",
"sha256 add",
"monitored target",
"sloffeefoundry.com",
"apple",
"samsung",
"galaxy",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"persistence",
"edge",
"bing",
"racism",
"amazon music",
"ios",
"twitter",
"googleapis",
"denver"
],
"references": [
"Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp",
"Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network",
"*ccm-command-center.int.m1np.symetra.cloud",
"Monitored Target/s",
"https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f",
"https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd",
"https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a",
"https://otx.alienvault.com/indicator/ip/210.172.192.15",
"https://otx.alienvault.com/indicator/domain/sanso-mirai.jp",
"device-local-**********. remotewd.com",
"https://sms-apple.com/login",
"https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p",
"https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg",
"https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533",
"api.omgpornpics.com",
"http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Crypt-142",
"display_name": "Win.Trojan.Crypt-142",
"target": null
},
{
"id": "#Lowfi:SIGATTR:URLShortner",
"display_name": "#Lowfi:SIGATTR:URLShortner",
"target": null
},
{
"id": "Win.Trojan.14278494-1",
"display_name": "Win.Trojan.14278494-1",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ransom:Win32/WannaCrypt.H",
"display_name": "ransom:Win32/WannaCrypt.H",
"target": "/malware/ransom:Win32/WannaCrypt.H"
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Mirai Communications",
"display_name": "Mirai Communications",
"target": null
},
{
"id": "Alfper",
"display_name": "Alfper",
"target": null
},
{
"id": "telper:HSTR:CLEAN:Ninite",
"display_name": "telper:HSTR:CLEAN:Ninite",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
}
],
"industries": [
"Technology",
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8962,
"domain": 1671,
"hostname": 2125,
"FileHash-SHA256": 2031,
"FileHash-MD5": 718,
"FileHash-SHA1": 523,
"SSLCertFingerprint": 12,
"email": 7,
"CVE": 1
},
"indicator_count": 16050,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "224 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68930449988277cd29c25cb7",
"name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper",
"description": "",
"modified": "2025-09-05T07:00:00.711000",
"created": "2025-08-06T07:29:13.136000",
"tags": [
"url https",
"iocs",
"learn more",
"ipv4",
"domain",
"hostname",
"types of",
"sweden",
"united",
"belgium",
"indicator role",
"title added",
"active related",
"pulses hostname",
"showing",
"document file",
"v2 document",
"search",
"medium",
"ms windows",
"vista event",
"port",
"msie",
"windows nt",
"wow64",
"dirty",
"write",
"powershell",
"copy",
"next",
"defender",
"dynamicloader",
"high",
"fwlink",
"windows",
"cmd c",
"alerts",
"bios",
"related pulses",
"pulses",
"related tags",
"file type",
"ascii text",
"sha256",
"external",
"virustotal api",
"screenshots",
"june",
"flag",
"usa windows",
"input threat",
"level analysis",
"summary",
"gbrflag",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"ssl certificate",
"defense evasion",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"size",
"mitre att",
"date",
"path",
"format",
"august",
"hybrid",
"local",
"form",
"click",
"strings",
"ubar",
"truetype",
"web open",
"font format",
"description web",
"general",
"iframe",
"slcc2",
"media center",
"destination",
"tlsv1",
"unknown",
"execution",
"dock",
"persistence",
"malware",
"encrypt",
"ck techniques",
"read c",
"show",
"entries",
"delete",
"data upload",
"extraction",
"onlv",
"find",
"type",
"no matching",
"indicator",
"mtb may",
"trojandropper",
"passive dns",
"next associated",
"lowfi",
"gmt cache",
"sameorigin",
"ipv4 add",
"trojan",
"mtb apr",
"files show",
"date hash",
"avast avg",
"shellterlod may",
"win32qqpass apr",
"trojanspy",
"ransom",
"wiper",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results aug",
"urls show",
"hookwowlow may"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6893032410060f658d862c60",
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4593,
"hostname": 1754,
"domain": 399,
"FileHash-SHA256": 2128,
"FileHash-MD5": 426,
"FileHash-SHA1": 299,
"SSLCertFingerprint": 17
},
"indicator_count": 9616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6893032410060f658d862c60",
"name": "Hosting App - Partial research | Emotet Worm",
"description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]",
"modified": "2025-09-05T07:00:00.711000",
"created": "2025-08-06T07:24:20.645000",
"tags": [
"url https",
"iocs",
"learn more",
"ipv4",
"domain",
"hostname",
"types of",
"sweden",
"united",
"belgium",
"indicator role",
"title added",
"active related",
"pulses hostname",
"showing",
"document file",
"v2 document",
"search",
"medium",
"ms windows",
"vista event",
"port",
"msie",
"windows nt",
"wow64",
"dirty",
"write",
"powershell",
"copy",
"next",
"defender",
"dynamicloader",
"high",
"fwlink",
"windows",
"cmd c",
"alerts",
"bios",
"related pulses",
"pulses",
"related tags",
"file type",
"ascii text",
"sha256",
"external",
"virustotal api",
"screenshots",
"june",
"flag",
"usa windows",
"input threat",
"level analysis",
"summary",
"gbrflag",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"ssl certificate",
"defense evasion",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"size",
"mitre att",
"date",
"path",
"format",
"august",
"hybrid",
"local",
"form",
"click",
"strings",
"ubar",
"truetype",
"web open",
"font format",
"description web",
"general",
"iframe",
"slcc2",
"media center",
"destination",
"tlsv1",
"unknown",
"execution",
"dock",
"persistence",
"malware",
"encrypt",
"ck techniques",
"read c",
"show",
"entries",
"delete",
"data upload",
"extraction",
"onlv",
"find",
"type",
"no matching",
"indicator",
"mtb may",
"trojandropper",
"passive dns",
"next associated",
"lowfi",
"gmt cache",
"sameorigin",
"ipv4 add",
"trojan",
"mtb apr",
"files show",
"date hash",
"avast avg",
"shellterlod may",
"win32qqpass apr",
"trojanspy",
"ransom",
"wiper",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results aug",
"urls show",
"hookwowlow may"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4593,
"hostname": 1754,
"domain": 399,
"FileHash-SHA256": 2128,
"FileHash-MD5": 426,
"FileHash-SHA1": 299,
"SSLCertFingerprint": 17
},
"indicator_count": 9616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6892e73b32af18aa302df0dc",
"name": "Part 1.5",
"description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]",
"modified": "2025-09-05T04:03:06.929000",
"created": "2025-08-06T05:25:15.369000",
"tags": [
"chromeua",
"optout",
"object",
"path",
"value",
"access type",
"setval",
"windir",
"localappdata",
"null",
"win64",
"error",
"generator",
"close",
"roboto",
"date",
"format",
"light",
"span",
"template",
"void",
"android",
"body",
"trident",
"mexico",
"sonic",
"black",
"critical",
"desktop",
"dark",
"meta",
"this",
"june",
"hybrid",
"apache",
"write",
"crypto",
"autodetect",
"face",
"courier",
"gigi",
"impact",
"shadow",
"click",
"strings",
"cray",
"smwg",
"eret",
"footer",
"infinity",
"window",
"canvas",
"legend",
"nuke",
"lion",
"4629",
"ahav",
"olsa",
"false",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"file defense",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"script",
"mitre att",
"pattern match",
"show technique",
"iframe",
"refresh",
"august",
"general",
"local",
"tools",
"demo",
"look",
"verify",
"restart",
"url http",
"small",
"pulses url",
"tellyoun",
"showing",
"entries",
"url https",
"indicator role",
"title added",
"active related",
"type indicator",
"role title",
"added active",
"related pulses",
"cc08",
"f06a6b",
"sfurl",
"filehashsha256",
"types",
"indicators show",
"search",
"pulses",
"filehashsha1",
"adversaries",
"found",
"webp image",
"ascii text",
"riff",
"size",
"encrypt",
"legacy",
"filehashmd5",
"united",
"flag",
"server",
"markmonitor",
"name server",
"llc name",
"overview dns",
"requests domain",
"country",
"win32",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"yara",
"detections",
"malware",
"copy",
"show",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"extraction",
"data upload",
"enter sc",
"type",
"extra data",
"please",
"failed",
"review",
"exclude data",
"included review",
"ic data",
"suggeste",
"stop",
"type onow",
"domain",
"passive dns",
"urls",
"files related",
"pulses none",
"related tags",
"none google",
"safe browsing",
"sc data",
"extr amanuav",
"review included",
"manualy",
"sugges excluded",
"filehash",
"md5 add",
"pulse pulses",
"url add",
"http",
"hostname",
"files domain",
"pulses otx",
"virustotal",
"hsmi192547107",
"pulses hostname",
"r dec",
"customer dec",
"iski dec",
"decision dec",
"va dec",
"bitcoin",
"bitcoin dec",
"petra",
"torstatus dec",
"paul dec",
"sodesc",
"planet dec",
"emilia",
"heroin dec",
"difference dec",
"palantir dec",
"loraxlive dec",
"chaturbate dec",
"sandra",
"free dec",
"marvel dec",
"benjis dec",
"fresh dec",
"sodesc dec",
"srdirport",
"srhostname",
"link dec",
"types of",
"italy",
"china",
"australia",
"france",
"turkey",
"discovery",
"information",
"ck ids",
"t1005",
"local system",
"t1007",
"system service",
"part",
"track",
"locate",
"political",
"civil society",
"news",
"created",
"hours ago",
"report spam",
"t1555",
"password",
"t1560",
"collected data",
"t1573",
"channel",
"t1574",
"execution flow",
"scan",
"iocs",
"t1497",
"u0lhmq",
"mtawmq",
"t1480",
"guardrails",
"t1486",
"data encrypted",
"learn more",
"unsubscribe aug",
"protocol",
"t1074",
"staged",
"t1083",
"t1102",
"web service",
"t1105",
"tool transfer",
"t1140",
"data engineer",
"candidate",
"tlsv1",
"odigicert inc",
"stcalifornia",
"lsan jose",
"oadobe systems",
"incorporated",
"cndigicert sha2",
"push",
"next",
"high",
"write c",
"ireland as16509",
"delete",
"dirty",
"tags",
"t1012",
"flow endpoint",
"security scan",
"t1106",
"copyright",
"levelblue"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 608,
"FileHash-SHA1": 433,
"FileHash-SHA256": 3663,
"URL": 17104,
"domain": 1316,
"email": 39,
"hostname": 4208,
"SSLCertFingerprint": 17
},
"indicator_count": 27388,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688f2a4444334746890f3b39",
"name": "Bank of America Scam",
"description": "Bank of America scams that being carried out for at least 8 years. Group able to steal your credentials, investments, insurance policies, skimming, small to large false charges, account theft. 9/2024 BoFa was investigated by me. They had experienced a major , sophisticated compromise. At least one branch is run by unfriendly investigators or authorities. All regular staff was moved to different branches. I witnessed personnel accessing a customer\u2019s account without customer presenting ID or giving name. Customer was concerned, staffer just stated he remembered their business name. Another customer was being harassed to close business account for an hour and another staffer took a consumers debit card and denied it prompting an internal investigation. Finally a \u2018manager\u2019 said they experienced a major hack. Research shows customers weren\u2019t informed. . Further research is necessary.\nAnybody? \n#theft #skimming #cancellations #false_charges #debitcardfraud #botnetcallcenter",
"modified": "2025-09-02T08:02:34.108000",
"created": "2025-08-03T09:22:12.846000",
"tags": [
"united",
"link",
"ip address",
"creation date",
"search",
"record value",
"showing",
"unknown ns",
"present mar",
"a domains",
"date",
"meta",
"starfield",
"entries",
"show",
"windows",
"msie",
"http",
"medium",
"post http",
"delete",
"ids detections",
"malware",
"copy",
"drweb",
"write",
"win32",
"global",
"present jul",
"error",
"lowfi",
"trojanspy",
"checkin",
"passive dns",
"trojan",
"next associated",
"cryp",
"present aug",
"urls",
"address",
"hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"pulse",
"less whois",
"registrar",
"adylkuzz cnc",
"beacon",
"get http",
"exe payload",
"read",
"suspicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 171,
"URL": 873,
"domain": 180,
"hostname": 332,
"email": 3,
"FileHash-SHA256": 698,
"FileHash-SHA1": 167
},
"indicator_count": 2424,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "229 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "688d9f7c357111d3ad843c16",
"name": "Follower Factory - Virus:Win32/Shodi.I | Trojan Agent",
"description": "Follower factories sell followers , shout outs & retweets to celebrities, businesses, anyone. Buying followers is not encouraged by the those \u2018target\u2019 worked with. On several occasions Brashears had to have Bank refund her $1000\u2019s in unauthorized Facebook advertising charges finally, 2 of her banks accounts , l Brashears had to delete a photo of herself that gained a suspicious 12,000+ in Filipino likes & comments.. Target deleted 3000 sudden faceless twitter bots shortly before her Twitter accounts was stolen. Bad actors marketed her music on malicious websites. Hacking Tsara began in 2013 after assault, Followers began after Brian Sabey contacted Tsara Brashears @ Song Culture email. Site became filled with trackers at one time and advertised her commutes on Yandex..1st contact Sabey , initially asked what the company did via email.",
"modified": "2025-09-01T02:00:30.266000",
"created": "2025-08-02T05:17:48.231000",
"tags": [
"destination",
"port",
"united",
"show",
"search",
"get http",
"host sinkhole",
"cookie value",
"et trojan",
"unknown",
"possible",
"write",
"win32",
"nivdort",
"artemis",
"malware",
"zeus gameover",
"copy",
"next",
"date",
"no expiration",
"ipv4",
"expiration",
"url http",
"domain",
"iocs",
"drop or",
"browse to",
"select file",
"or drop",
"united kingdom",
"entries",
"next associated",
"unknown a",
"showing",
"urls show",
"date checked",
"url hostname",
"server response",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"md5 add",
"passive dns",
"great britain",
"present jul",
"urls",
"files",
"reverse dns",
"data upload",
"extraction",
"failed",
"virus",
"file score",
"medium risk",
"related pulses",
"none related"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 351,
"FileHash-SHA1": 344,
"FileHash-SHA256": 1546,
"URL": 3435,
"domain": 796,
"hostname": 801
},
"indicator_count": 7273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "230 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68858e8244c8db854e8947c1",
"name": "Goodreads Malware",
"description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore",
"modified": "2025-08-26T01:03:19.405000",
"created": "2025-07-27T02:27:14.517000",
"tags": [
"passive dns",
"urls",
"url add",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"united",
"flag united",
"present jun",
"present may",
"present apr",
"search",
"moved",
"creation date",
"record value",
"date",
"body",
"meta",
"indicator role",
"title added",
"active related",
"pulses url",
"memcommit",
"value1",
"partnerid4146",
"username",
"gamesessionid",
"port",
"destination",
"regsetvalueexa",
"mozilla",
"write",
"persistence",
"execution",
"malware",
"copy",
"next",
"process32nextw",
"show",
"entries",
"module load",
"t1129",
"intel",
"ms windows",
"showing",
"t1045",
"win32",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"sha1",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"size",
"pattern match",
"ascii text",
"null",
"error",
"starfield",
"click",
"hybrid",
"local",
"path",
"strings",
"refresh",
"tools",
"onload",
"span",
"smbds ipc",
"ms17010",
"msf style",
"probe ms17010",
"generic flags",
"yara detections",
"nrv2x",
"upxoepplace"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 155,
"hostname": 1237,
"FileHash-SHA256": 1141,
"domain": 574,
"URL": 4593,
"FileHash-SHA1": 139,
"email": 1,
"SSLCertFingerprint": 8
},
"indicator_count": 7848,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "236 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities",
"IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access",
"Foundry Palantir still has a presence in Colorado",
"Python Wheel package",
"CLOUDFLARENET - 104.16.148.244 , 104.19.148.244",
"https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"https://duck.ai/apple-touch-icon.png",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"Some Colorado communities have been taken over by the State Government",
"Tor Get Server Request \u2022 TLS Handshake Failure High Priority",
"device-local-**********. remotewd.com",
"https://pickyhot.disqus.com/tsara-brashears",
"Target also owned an online brokerage & lead company, was agent & insurance marketer for years.",
"chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105",
"aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com",
"https://www.justice.gov/opa/pr/departmen.t",
"https://securityaffairs.com/144927/cyber-crime~#",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http",
"Environment Awareness : Able to access user sensitive domai",
"We apologize for so may typos and errors. We strive to do better at that.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"http://www.mylifelawyer.com/services/denver-affordable-lawyer-child-custody/",
"Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval",
"Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters",
"https://shell-gift.website/sweeps/de/amazon-voucher/question1000-agg/index.html?uclick=qdlpqnvr&uclickhash=qdlpqnvr-qdlpqnvr-pmwj-0-xsi4-hovr-hoi4-9b6533",
"https://brand.centurylinktechnology.com",
"ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"duck.ai \u2022 https://duck.ai/chat phishing",
"https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc",
"marriott-datacenter-prd.accenture.cn",
"pegasuspartners.followupboss.com",
"https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"internationalfrontier.com",
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Alerts : recono_fingerprint antivm_memory_available",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f",
"this.target",
"John 12:17",
"IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240",
"Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)",
"Running webserver Running WordPress Running Drupal",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"https://www.google.com/search",
"Tesla Hackers | https://www.teslarati.com/spacex",
"https://www.teslarati.com/tesla-hackers",
"https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com",
"I apologize for the lack of reference.",
"52.250.42.157 scanning_host",
"Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me",
"Mirai Communication Network Inc. (AS7690) Seto, Japan ASN is a BGP Network",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"*ccm-command-center.int.m1np.symetra.cloud",
"ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114",
"loophole.outlook89.accesscam.org",
"http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==",
"Suspicious apps",
"http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script",
"Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"Typing a suicide note on social media is suspicious since it could come from your murderer.",
"So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?",
"Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"Bot network",
"http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"DoD Network Information Center (DNIC)",
"http://p2d.josht.ca/assets/content-delivery/depots/download",
"IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"Monitored Target/s",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://otx.alienvault.com/indicator/domain/sanso-mirai.jp",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy.",
"you.are.poor.i.got.trap.money?",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.",
"I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://nextcloud.simonduffey.ch",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/",
"http://truefoundry.prodigaltech.com/",
"bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou",
"https://www.mof.gov.cn.lxcvc.com/",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"https://www.exito.com/galaxy-m12-64-gb-negro-samsung-sm-m127fzkkcoo-3016108/p",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"http://wg41xm05b3.endgamesystems.com/",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"http://mail.saynextapp.accesscam.org/",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"anyconnect.online",
"https://www.phantomcameras.cn/applications/where/piv",
"https://pegasus.pahamify.com/",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"http://docs.duckduckhack.com/walkthroughs/programming-syntax.html",
"Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet",
"https://l.us-1.a.mimecastprotect.com/l",
"https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html",
"Win.Packed.Reline-9875163-0",
"https://4.img-dpreview.com/files/p/articles/2356747397/samsung_nv24hd_bk.jpeg",
"https://t.me/",
"http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne",
"Fireye - FEDNS1.FIREEYE.COM",
"https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\",
"Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"https://sms-apple.com/login",
"I would post his public information. It may be unwise.",
"FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm",
"go.trckclick.xyz \u2022 att.trk.173trk.com",
"https://www.endgames.us \u2022 https://www.endgames.us/",
"https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms",
"http://cr-malware.testpanw.com/url",
"System has placed affected on multiple policies cancelling private policy without notice.",
"https://about.homeasap.com",
"appspot.com \u2022 hyper7install.appspot.com",
"https://310940000.android.com.twitter.android.adsenseformobileapps.com/",
"It appears there are 5-7 known affected that I was able to find",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Suspicious EXE download from WordPress folder",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com",
"https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d",
"FireEye was there in 2 year old pulse now removed? I\u2019ll find it.",
"https://prod.centurylinktechnology.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"Entity CLOUD14",
"September began with false information, defaulted claims , denials from authorized services rendered years prior.",
"https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg",
"https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/",
"jaycobundaberg.eclipseaurahub.com.au 192.168.0.21",
"Researched: 210.172.192.15 | p192015.mirai.ne.jp | sanso-mirai.jp",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"http://www.internationalfrontier.com",
"https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org",
"https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga",
"https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com",
"116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com",
"Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:",
"://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com",
"ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2",
"Accurately tipped about air travel safety. In past. Proven true.",
"https://brand2.centurylinktechnology.com",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"git.spywarewatchdog.org",
"https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356",
"Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud",
"ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114",
"pcup.gov.ph:",
"According to accounts she was afraid for her life , found to be safe then took her own life?",
"Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me",
"Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters",
"http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box",
"api.omgpornpics.com",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside",
"http://up.chenmin.org/login/jquery.min.js",
"Requires further research",
"https://hybrid-analysis.com/sample/f6e628e57373bf795bae87c883dcaefdbb720960133edc1adacc6146d10fc88a",
"There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.",
"Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.",
"By remote view of NEW targeys view, all key calls are routed through him.",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com",
"www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org",
"https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"ecs-80-158-49-8.reverse.open-telekom-cloud.com",
"Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint",
"http://www.endgamesystems.com/",
"http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html",
"IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)",
"Apple - 162.55.158.153",
"edge-mobile-static.azureedge.net",
"https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No",
"IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Requires further research.",
"I need some help.",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Connects to all NEW targets key contacts main targets contacts.",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"7box.vip",
"Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception",
"https://apple.btprmjo.cc/",
"Yara Detections: stack_string Alerts: dead_host",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download EXE - Served Attached HTTP",
"Uses code, no phone calls. Connected via instagram.",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Attacker being used by several legal entities attacking a target\u2019s family",
"https://otx.alienvault.com/indicator/ip/210.172.192.15",
"https://api.manus.im/api/oauth2_callback/apple",
"Alerts: antivm_memory_available pe_features raises",
"\"vgkw.maillist-manage.com\" is probably a mail server",
"Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft",
"ASP. NET",
"IDS Detections Win32/ZonaInstaller Install Beacon",
"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System",
"inst.govelopscold.com",
"https://elegantcosmedampyeah.pages.dev/",
"http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com",
"ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar",
"Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.",
"https://nextcloud.paroxity.org/",
"#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc",
"https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/",
"and our limited information, is Daisy a victim or a crisis actor?",
"www.onyx-ware.com \u2022 https://www.endgamesystems.com/",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com",
"IDS Detections: Win32/Emotet CnC Activity (POST) M10",
"Contacted: newmethcnc.duckdns.org",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"https://mobile-pocket-guide.centurylinktechnology.com",
"URL https://mailcatcher.qa2.white-label-dating.com",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Alerts: packer_entropy antivm_queries_computername checks_debugger console_output",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"UPX_OEP_place",
"https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html",
"Is that where they\u2019re getting these names? Rexxfield.com. SMH",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com",
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"accenture.cn",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"Win32/Tofsee.AX google.com connectivity check",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"Tipped of new looming airline threats",
"Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval",
"According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021",
"Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"grafana.ledocloud.com\u2022 192.168.0.21",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"PE EXE or DLL Windows file download HTTP",
"Same legal , and quasi governmental pattern identified",
"authrootstl.cab common file extension",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca",
"passwordresetalcb.accenture.cn",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com",
"https://www.google-analytics.com/debug/bootstrap?id=\\",
"https://www.passcreator.com/en/apple-wallet-passes",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2",
"We have foot soldiers. Be aware",
"https://cms.medicarementalhealthcheckin.gov.au",
"Researched publicly available information provided by representative of a target\u2019s estate",
"target.id \u2022 tostring.call \u2022 title.search",
"http://console.cloud.google.com/appengine",
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"https://p2d.josht.ca/api/depots/info/?depot=",
"marriott-control-prd.accenture.cn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"114.114.114.114 = Tulach",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21",
"Provided documented evidence of appealed state issued plan and disclosed financials.",
"http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/",
"millet-usgc-1.palantirfedstart.com",
"div>
",
"State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.",
"https://hybrid-analysis.com/sample/d30cf86f09e3ab7bb7d0a4ac2608aafb31e07c94fe77f5a264ccdb35fe153c59/689505ded9be5613900509fd",
"http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/",
"ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114",
"search.roi.ros.gov.uk",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"https://clockoutbox.es/password",
"foundry.neconsside.com \u2022 http://foundry.neconsside.com",
"Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a",
"https://www.phantomcameras.cn.bscedge.com",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"apple-business.cancom.at",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com",
"https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022",
"https://palapa.c.id\t (c.id)",
"If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI",
"Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?",
"x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )",
"Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.",
"Daisy was allegedly brutally assaulted by Matthew Barnett,",
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283",
"192-168-0-21.siliconevalley1.direct.quickconnect.to",
"http://www.duckduckhack.com \u2022 docs.duckduckhack.com",
"AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)",
"Researched: https://hcpf.colorado.gov/",
"All tags auto populated including\u2019 Elon Musk\u2019",
"http://netuser.joymeng.com/charge_apple/notify",
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"https://feedback.ptv.vic.gov.au/360",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"Targets associated warned. Not very open to advice.",
"This is why our team tells a back story. It can and does happen to anyone.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"Subject: DE Certificate Subject: Berlin Certificate Subject",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"files.catbox.moe",
"www.endgame.com",
"cedevice.io \u2022 decagonsoftware.com",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master",
"https://eurotarget.com/it/auto/toyota/c-hr/",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"http://pickyhot.disqus.com/",
"https://inbound-message-listener-temporary-testing.palantirfoundry.com",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"https://passwords.google/?utm_medium=hpp&utm",
"#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0",
"http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==",
"https://hybrid-analysis.com/sample/ff37a006ed8677bafa412d653ce9adfe84744702f28f7dfe9f5f4ec51b599419/689505a3a647793a0300f73f",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"Changed last several digits of gmail account # In example",
"Tipped: A targets AI and other cyber research findings.",
"https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786",
"Yare: compromised_site_redirector_fromcharcode",
"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Quickstart",
"Tesla Hackers"
],
"malware_families": [
"Node traffic",
"Win.downloader.small-1966",
"Win32:trojan",
"Crypt4.ahsw",
"Virtool:msil/injector.bf",
"Inject2.bive",
"Win32/madang",
"Crypt3.blxp",
"Crypt3.cmtm",
"Bc.win.packer.troll-11",
"Win.malware.hd0kzai-9985588-0",
"Backdoor:win32/tofsee",
"Virtool:win32/vbinder.co",
"Trojan:o97m/madeba.a!det",
"Trojandropper:win32/muldrop.v!mtb",
"Trojan:win32/glupteba.ov!mtb",
"Emotet",
"Win32/trickler",
"!themida",
"Crypt5.bbyh",
"Prorat",
"Project nemesis",
"Trojan:win32/zusy",
"Crypt3.boje",
"Mirai communications",
"Worm:win32/yuner.a",
"Code virus ransomware",
"Autoit",
"Trojan:msil/rapidstealer.a",
"Worm:win32/autorun.xfv",
"Wormwin32/mofksys.rnd!mtb",
"Pws:win32/axespec.a",
"Crypt3.ckto",
"Trojan:win32/salgorea",
"Pahamify pegasus",
"Virus:win32/sality.at",
"Worm:win32/lightmoon.h",
"Crypt2.azdi",
"Mofksys",
"Win.malware.reline-9887776-0",
"Avast- win32:filecoder-ad\\ [trj]",
"Worm:win32/autorun!atmn",
"Trojan:win32/eyestye.t",
"Pws:win32/qqpass",
"Win.trojan.14278494-1",
"Tesla hackers",
"Mirai (elf)",
"Other malware",
"Et",
"Trojan:win32/salgorea.c!mtb",
"Doc.trojan.agent-9765752-0",
"Icedid",
"Lockbit",
"Ms defender - trojandownloader:win32/dalexis!rfn!rfn",
"Alf:hstr:trojan:win32/disableuac.a!bit",
"Other dangerous malware",
"Clamav - win.malware.cabby-6803812",
"#lowfi:sigattr:urlshortner",
"Trojan:win32/qqpass",
"Crypt3.bxgr",
"Atros3.ahfb",
"Trojan.tofsee/botx",
"Ransomware",
"Trojan:win32/glupteba.mt!mtb",
"Domino",
"Mydoom",
"Win.malware.barys-6840738-0",
"Backdoor:win32/tofsee.t",
"Inject2.bhbw",
"Ddos:linux/lightaidra",
"Androp",
"Win.trojan.generic",
"Win.packed.reline-9875163-0",
"Backdoor:win32/prorat.l",
"Virtool:msil/mousewe.a!mtb",
"Win.trojan.12382640-1",
"Lizar",
"Vd",
"Telper:hstr:clean:ninite",
"Tel:msil/dlsocconsend",
"Crypt3.boiu",
"Win32:salicode",
"Cobalt strike",
"Ransom:win32/wannacrypt.h",
"#lowfi:lua:dllsuspiciousexport.a",
"Win32:androp",
"Carbanak",
"Alf:trojan:win64/psbanker",
"Synacktiv",
"Alf:heraklezeval:pua:win32/ultradownloads",
"Inject.brdv",
"Unruy",
"Win.trojan.crypt-142",
"Trojan:win32/blihan.a",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Multiple malware attack",
"Trojan:win32/agent.ag!mtb",
"Win32:malware-gen",
"Crypt3.bxvc",
"Backdoor:linux/mirai.n!mtb",
"Tofsee",
"Win.trojan.zegost",
"Danabot",
"Crypt3.bxmj",
"Worm:win32/autorun.xxy!bit",
"Pegasus",
"Crypt3.boqd",
"Bible gateway",
"Trojan:win32/magania.dsk!mtb",
"A variant of win32/kryptik.deoa",
"Cve 2007695",
"Alfper",
"Crypt3.coiz",
"Tulach",
"Wannacry",
"Alf:exploit:win32/gsharedinforef.a",
"Htbot",
"#lowfi:tool:win32/vbstoexev2e",
"Trojan:win32/aenjaris.al!bit",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Win32/scrarev.c",
"Mirai",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Trojan:win32/smkldr.h!mtb",
"Trojandropper:win32/vb.il"
],
"industries": [
"Healthcare",
"Financial",
"Civilian",
"Oil",
"Technology",
"Legal",
"Hospitality",
"Government",
"Telecom",
"Insurance",
"Telecommunications"
],
"unique_indicators": 280697
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/h5dev.xyz",
"whois": "http://whois.domaintools.com/h5dev.xyz",
"domain": "h5dev.xyz",
"hostname": "zissely.h5dev.xyz"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 45,
"pulses": [
{
"id": "69dc04c12782d2d76c111a93",
"name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked",
"description": "",
"modified": "2026-04-12T20:46:57.338000",
"created": "2026-04-12T20:46:57.338000",
"tags": [
"indicator role",
"active related",
"ck ids",
"files",
"information",
"discovery",
"mitre att",
"pattern match",
"ck id",
"ck matrix",
"ascii text",
"united",
"binary file",
"april",
"hybrid",
"apikey",
"general",
"local",
"path",
"iframe",
"click",
"protocol",
"learn",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"execution att",
"related pulses",
"dll read",
"function read",
"icmp traffic",
"machineguid",
"systembiosdate",
"total",
"read",
"write",
"network_icmp",
"js_eval",
"recon_fingerprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"tls handshake",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"neue",
"certificate",
"error",
"scans show",
"record value",
"title site",
"servers",
"emails",
"all hostname",
"dnsadmin",
"data upload",
"extraction",
"failed",
"include review",
"exclude sugges",
"find s",
"typ no",
"active",
"urls",
"ip address",
"asn as54113",
"registrar",
"wscript",
"united states",
"stcalifornia",
"lmountain view",
"ogoogle llc",
"ogoogle trust",
"cngts ca",
"whitelisted",
"as15169",
"hostile",
"crash",
"contacted",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections alf",
"hostile yara",
"detections none",
"less ip",
"domains",
"ms windows",
"intel",
"pe32",
"regsetvalueexa",
"langturkish",
"sublangdefault",
"port",
"destination",
"entries",
"worm",
"delphi",
"win32",
"body",
"explorer",
"defender",
"regdword",
"false",
"true",
"end sub",
"object",
"createobject",
"sheetschanged",
"private sub",
"string",
"boolean",
"cancel",
"trojan",
"copy",
"query",
"dns update",
"useragent",
"myapp",
"delphi alerts",
"alerts deadhost",
"women who code",
"tulach",
"114.114.114.114",
"samuel",
"brian sabey"
],
"references": [
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"this.target",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"authrootstl.cab common file extension",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://securityaffairs.com/144927/cyber-crime~#",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com",
"https://clockoutbox.es/password",
"http://cr-malware.testpanw.com/url",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"114.114.114.114 = Tulach"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:Trojan:Win64/PsBanker",
"display_name": "ALF:Trojan:Win64/PsBanker",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Trojan:O97M/Madeba.A!det",
"display_name": "Trojan:O97M/Madeba.A!det",
"target": "/malware/Trojan:O97M/Madeba.A!det"
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1114,
"hostname": 594,
"domain": 200,
"FileHash-SHA256": 2379,
"FileHash-MD5": 426,
"FileHash-SHA1": 259,
"IPv4": 322,
"SSLCertFingerprint": 24,
"email": 2,
"IPv6": 1
},
"indicator_count": 5321,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "6 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69da656a68549f39be14bd77",
"name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise",
"description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat",
"modified": "2026-04-11T15:14:50.815000",
"created": "2026-04-11T15:14:50.815000",
"tags": [
"united",
"unknown ns",
"ip address",
"st kitts",
"gmt content",
"ai chat",
"all domain",
"encrypt",
"mtb mar",
"virtool",
"x frame",
"x xss",
"x content",
"gmt cache",
"twitter",
"win32",
"locale",
"extraction",
"gm cache",
"include data",
"review exclude",
"suggestadiacs",
"report spam",
"duckduckgo",
"url http",
"urls",
"all url",
"http",
"active",
"duck.ai",
"duckduckgo ai",
"private ai",
"chatbot",
"free ai",
"chat",
"anonymous ai",
"ai chat",
"no sign up",
"openai",
"anthropic",
"llama",
"mistral",
"open source",
"javascript",
"ai models",
"privacy focused",
"recording screen",
"ai",
"no account ai chat",
"data upload",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"development att",
"ssl certificate",
"over",
"defense evasion",
"mitre att",
"ck matrix",
"size",
"meta",
"april",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"dark",
"roboto",
"invisible",
"desktop",
"small",
"tls sni",
"contacted",
"filehash",
"ids detections",
"yara detections",
"alerts",
"file sharing",
"https domain",
"tls handshake",
"failure alerts",
"less ip",
"nextcloud",
"hackers",
"they mad",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"port",
"destination",
"malware",
"write",
"self",
"network_icmp",
"icmp traffic",
"passive dns",
"moved",
"netherlands",
"gmt server",
"gmt etag",
"user agent",
"all ipv4",
"pulse submit",
"url analysis",
"apache",
"accept",
"writeconsolea",
"script",
"read c",
"search",
"show",
"medium",
"html",
"high",
"form",
"create c",
"write c",
"registry",
"windows",
"delete c",
"tools",
"persistence",
"execution",
"dock",
"malicious",
"unknown"
],
"references": [
"duck.ai \u2022 https://duck.ai/chat phishing",
"go.trckclick.xyz \u2022 att.trk.173trk.com",
"anyconnect.online",
"ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar",
"files.catbox.moe",
"passwordresetalcb.accenture.cn",
"https://www.phantomcameras.cn.bscedge.com",
"www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org",
"loophole.outlook89.accesscam.org",
"https://www.phantomcameras.cn/applications/where/piv",
"https://www.phantomcameras.cn.bscedge.com",
"52.250.42.157 scanning_host",
"https://nextcloud.simonduffey.ch",
"https://nextcloud.paroxity.org/",
"http://mail.saynextapp.accesscam.org/",
"http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script",
"https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:",
"http://docs.duckduckhack.com/walkthroughs/programming-syntax.html",
"http://www.duckduckhack.com \u2022 docs.duckduckhack.com",
"http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html",
"https://duck.ai/apple-touch-icon.png",
"http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/",
"http://up.chenmin.org/login/jquery.min.js",
"ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"Win.Packed.Reline-9875163-0",
"IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)",
"Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception",
"Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters",
"Alerts: packer_entropy antivm_queries_computername checks_debugger console_output",
"Alerts: antivm_memory_available pe_features raises",
"IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240",
"Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,",
"Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722",
"https://www.mof.gov.cn.lxcvc.com/",
"https://cms.medicarementalhealthcheckin.gov.au",
"https://duck.ai/apple-touch-icon.png",
"edge-mobile-static.azureedge.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit",
"target": null
},
{
"id": "VirTool:MSIL/Mousewe.A!MTB",
"display_name": "VirTool:MSIL/Mousewe.A!MTB",
"target": "/malware/VirTool:MSIL/Mousewe.A!MTB"
},
{
"id": "Win.Packed.Reline-9875163-0",
"display_name": "Win.Packed.Reline-9875163-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1462",
"name": "Malicious Software Development Tools",
"display_name": "T1462 - Malicious Software Development Tools"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1181,
"FileHash-SHA1": 195,
"IPv4": 50,
"domain": 320,
"hostname": 529,
"FileHash-SHA256": 1702,
"FileHash-MD5": 201,
"SSLCertFingerprint": 8
},
"indicator_count": 4186,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69aa019f4509897e354fe029",
"name": "credit Q Vashti Cloned Pulse ",
"description": "",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-03-05T22:20:15.324000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "69a2127d12dce12538b57d72",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5644,
"domain": 701,
"hostname": 1920,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9877,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a2127d12dce12538b57d72",
"name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets",
"description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-02-27T21:54:05.261000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5643,
"domain": 700,
"hostname": 1918,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9873,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a1a73eb0578b92962dae97",
"name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?",
"description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit",
"modified": "2026-03-29T13:04:34.750000",
"created": "2026-02-27T14:16:30.498000",
"tags": [
"regopenkeyexw",
"port",
"destination",
"cryptexportkey",
"search",
"show",
"entries",
"windows nt",
"regsetvalueexa",
"ip address",
"malware",
"copy",
"write",
"win32",
"next",
"format",
"contacted",
"less ip",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"date",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"february",
"failed",
"enter",
"data upload",
"passive dns",
"urls",
"aaaa",
"certificate",
"otx logo",
"all hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"title",
"body",
"encrypt",
"netherlands",
"gmt content",
"all ipv4",
"amsterdam",
"hetzner online",
"gmbh",
"summary",
"url age",
"de seen",
"general info",
"geo germany",
"as as24940",
"de note",
"route",
"direct",
"pro platform",
"logs",
"suricata alert",
"et info",
"tls handshake",
"bad traffic",
"suricata alerts",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"size",
"sha256",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"path",
"unknown",
"stop",
"root",
"hybrid",
"general",
"local",
"form",
"click",
"strings",
"9999",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"command",
"defense evasion",
"spawns",
"found",
"show technique",
"ck matrix",
"href",
"antivirus",
"maktub locker",
"tor status",
"check"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1129,
"domain": 148,
"hostname": 753,
"FileHash-SHA256": 548,
"FileHash-MD5": 90,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 8,
"CIDR": 1,
"email": 4
},
"indicator_count": 2752,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "697cdce9ec418c422eee2054",
"name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019",
"description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.",
"modified": "2026-03-01T16:05:57.375000",
"created": "2026-01-30T16:31:37.011000",
"tags": [
"url https",
"url http",
"tlsv1",
"whitelisted",
"united",
"read c",
"as15169",
"stcalifornia",
"execution",
"dock",
"write",
"persistence",
"malware",
"encrypt",
"active",
"lumen technologies",
"number",
"error",
"regexp",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"unknown",
"form",
"flash",
"backdoor",
"writeconsolew",
"yara detections",
"command line",
"pdb path",
"pe resource",
"internalname",
"windows command",
"A",
"aws",
"name servers",
"url analysis",
"passive dns",
"urls",
"data upload",
"extraction",
"palantir",
"c2",
"aerospace",
"tracking",
"spywatchdog",
"palapa-c2",
"communications satellite",
"amazon",
"hughesnet",
"icmp traffic",
"washington c",
"washington ou",
"mopr",
"mon jul",
"local",
"dynamic",
"apple",
"network",
"t1057",
"discovery",
"t1069",
"t1071",
"protocol",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"present jan",
"unknown ns",
"ip address",
"dnssec",
"domain",
"dynamic dns",
"government",
"pcup",
"germany unknown",
"link",
"dns hosting",
"cloudns",
"cloud dns",
"a domains",
"ipv4 add",
"title",
"meta",
"class",
"servers",
"present aug",
"aaaa",
"present sep",
"present nov",
"present jul",
"present may",
"moved",
"canada unknown",
"begin",
"record value",
"gmt content",
"type",
"hostname add",
"files",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"ck matrix",
"network traffic",
"et info",
"general",
"path",
"click",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"adversaries",
"input url",
"defense evasion",
"france",
"ireland",
"netherlands",
"denmark",
"united kingdom",
"type indicator",
"role title",
"added active",
"savvis",
"centurylinktechnology",
"hybrid analysis",
"monitoring tools",
"monitored target",
"triangulation",
"worm",
"intel",
"ms windows",
"pe32",
"write c",
"delete c",
"show",
"russia as47764",
"unix",
"lsan jose",
"odigicert inc",
"markus",
"url add",
"http",
"related nids",
"files location",
"russia flag",
"russia hostname",
"russia",
"russia unknown",
"hosting",
"federation flag",
"body",
"gmt vary",
"accept encoding",
"gmt cache",
"certificate",
"pulse submit",
"unknown aaaa",
"search",
"entries",
"script domains",
"script urls",
"pdx cf"
],
"references": [
"\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device",
"Yare: compromised_site_redirector_fromcharcode",
"Alerts: network_icmp nolookup_communication js_eval recon_fingerprint",
"Alerts: console_output has_pdb pe_unknown_resource_name",
"File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..",
"Tipped: A targets AI and other cyber research findings.",
"A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.",
"track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software",
"https://palapa.c.id\t (c.id)",
"Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com",
"cedevice.io \u2022 decagonsoftware.com",
"http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net",
"http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF",
"pcup.gov.ph:",
"http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:",
"https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:",
"https://elegantcosmedampyeah.pages.dev/",
"https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/",
"inst.govelopscold.com",
"https://feedback.ptv.vic.gov.au/360",
"nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au",
"nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au",
"https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d",
"https://brand.centurylinktechnology.com",
"https://prod.centurylinktechnology.com",
"https://brand2.centurylinktechnology.com",
"https://mobile-pocket-guide.centurylinktechnology.com",
"UPX_OEP_place",
"Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg",
"ASP. NET",
"https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:",
"7box.vip"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan.Tofsee/Botx",
"display_name": "Trojan.Tofsee/Botx",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "PWS:Win32/Axespec.A",
"display_name": "PWS:Win32/Axespec.A",
"target": "/malware/PWS:Win32/Axespec.A"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1439",
"name": "Eavesdrop on Insecure Network Communication",
"display_name": "T1439 - Eavesdrop on Insecure Network Communication"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1069.003",
"name": "Cloud Groups",
"display_name": "T1069.003 - Cloud Groups"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 102,
"FileHash-SHA1": 59,
"FileHash-SHA256": 1929,
"domain": 854,
"hostname": 2156,
"URL": 4475,
"SSLCertFingerprint": 9,
"email": 7,
"CVE": 1
},
"indicator_count": 9592,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "48 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "62 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://zissely.h5dev.xyz/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://zissely.h5dev.xyz/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776612900.2493615
}