{ "type": "Domain", "indicator": "ikzeus.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ikzeus.com", "alexa": "http://www.alexa.com/siteinfo/ikzeus.com", "indicator": "ikzeus.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2607532920, "indicator": "ikzeus.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69a8fff72a02303057d559c9", "name": "http://paragonparkbook.wordpress.com/", "description": "another Ma expired cert and unsigned dnssec. Creation Date\t2000-03-03T04:13:23\nDnssec\tunsigned\nDomain Name\tWORDPRESS.COM\nDomain Name\twordpress.com\nEmails\tdomains@automattic.com.80 Title\t301 Moved Permanently\n80 Body\thtml head title 301 Moved Permanently /title /head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html\n80 Header\tHTTP/1.1 301 Moved Permanently Server: nginx Date: Thu 05 Mar 2026 03:55:19 GMT Content Type: text/html Content Length: 162 Connection: keep alive Location: https://paragonparkbook.wordpress.com/ Alt Svc: h3= :443 ma=86400 Server Timing: a8c cdn dc desc=sea cache desc=BYPASS dur=0.0\n443 Title\tThe History of Paragon Park When Summer Meant Everything: The Enduring Legacy of Paragon Park\n443 A Domains\tparagonparkbook.wordpress.com", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T04:00:55.226000", "tags": [ "certificate", "value", "a domains", "found a", "server", "gmt content", "length", "header http2", "arizona", "scottsdale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 138, "domain": 377, "URL": 117, "hostname": 95, "FileHash-MD5": 144, "email": 3, "FileHash-SHA256": 1162 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a8fd4edfbd71548f7d5327", "name": "southshoresnews.com", "description": "interesting paragonpark seeking domain information string", "modified": "2026-04-03T00:08:04.195000", "created": "2026-03-05T03:49:34.257000", "tags": [ "united", "status", "creation date", "date", "as44273 host", "certificate", "overview ip", "address", "location united", "asn as16509", "unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "domain": 103, "hostname": 10, "URL": 10, "email": 1 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "https://pegasusm2.bullsbikesusa.com", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "checkip.dyndns.org [command and control]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "Virustotal - google.com.uy", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "www.crackedmindstechnologies.com", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "nr-data.net [Apple Private Data Collection]", "144.76.108.82 [scanning host]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Worm:win32/mydoom.o!backdoor", "Win32:dropperx-gen\\ [drp]", "Tofsee", "Sf:agent-dq\\ [trj]", "Win32:kukacka", "Win.trojan.tofsee-9770082-1", "Virus:win32/sality.at", "Worm:win32/bloored.e", "Et", "Trojan:msil/trojandropper", "Trojanspy:win32/invader.s!msr", "Installer", "Ransom:win32/stopcrypt.ak!mtb", "Trojanspy:win32/nivdort.aj", "Gandcrab", "Trojandownloader:win32/upatre!rfn" ], "industries": [ "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69a8fff72a02303057d559c9", "name": "http://paragonparkbook.wordpress.com/", "description": "another Ma expired cert and unsigned dnssec. Creation Date\t2000-03-03T04:13:23\nDnssec\tunsigned\nDomain Name\tWORDPRESS.COM\nDomain Name\twordpress.com\nEmails\tdomains@automattic.com.80 Title\t301 Moved Permanently\n80 Body\thtml head title 301 Moved Permanently /title /head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html\n80 Header\tHTTP/1.1 301 Moved Permanently Server: nginx Date: Thu 05 Mar 2026 03:55:19 GMT Content Type: text/html Content Length: 162 Connection: keep alive Location: https://paragonparkbook.wordpress.com/ Alt Svc: h3= :443 ma=86400 Server Timing: a8c cdn dc desc=sea cache desc=BYPASS dur=0.0\n443 Title\tThe History of Paragon Park When Summer Meant Everything: The Enduring Legacy of Paragon Park\n443 A Domains\tparagonparkbook.wordpress.com", "modified": "2026-04-04T05:18:12.440000", "created": "2026-03-05T04:00:55.226000", "tags": [ "certificate", "value", "a domains", "found a", "server", "gmt content", "length", "header http2", "arizona", "scottsdale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 138, "domain": 377, "URL": 117, "hostname": 95, "FileHash-MD5": 144, "email": 3, "FileHash-SHA256": 1162 }, "indicator_count": 2036, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a8fd4edfbd71548f7d5327", "name": "southshoresnews.com", "description": "interesting paragonpark seeking domain information string", "modified": "2026-04-03T00:08:04.195000", "created": "2026-03-05T03:49:34.257000", "tags": [ "united", "status", "creation date", "date", "as44273 host", "certificate", "overview ip", "address", "location united", "asn as16509", "unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "domain": 103, "hostname": 10, "URL": 10, "email": 1 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ikzeus.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ikzeus.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780424515.3943632 }