{
"type": "Domain",
"indicator": "intel.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/intel.com",
"alexa": "http://www.alexa.com/siteinfo/intel.com",
"indicator": "intel.com",
"type": "domain",
"type_title": "Domain",
"validation": [
{
"source": "akamai",
"message": "Akamai rank: #226",
"name": "Akamai Popular Domain"
},
{
"source": "majestic",
"message": "Whitelisted domain intel.com",
"name": "Whitelisted domain"
},
{
"source": "whitelist",
"message": "Whitelisted domain intel.com",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 2225246877,
"indicator": "intel.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69e4e7cfdc3bb3cdffeecf7c",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:51.385000",
"created": "2026-04-19T14:33:51.385000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e4e7c6ddf646eb4e645bd5",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:42.400000",
"created": "2026-04-19T14:33:42.400000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc70fcbd3f613502e1f7",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T09:28:38.049000",
"created": "2026-04-17T06:00:16.867000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 442,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24911,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc6fd3c4022e08db781d",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T06:51:33.372000",
"created": "2026-04-17T06:00:15.760000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 441,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6992bae83a5988dff8311490",
"name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
"description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
"modified": "2026-04-13T23:46:20.071000",
"created": "2026-02-16T06:36:24.788000",
"tags": [
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
"MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"#PotentialUS-Origin_FalseFlag_Obfuscation"
],
"references": [
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
"Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
"Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
"his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
"The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
"By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
"The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
"",
"The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
"By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
"The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
"LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
"LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
"LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
"Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
"Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
"Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
"Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
"Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
"WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
],
"public": 1,
"adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
"targeted_countries": [],
"malware_families": [
{
"id": "Malware Family: StealthWorker / GoBrut",
"display_name": "Malware Family: StealthWorker / GoBrut",
"target": "/malware/Malware Family: StealthWorker / GoBrut"
},
{
"id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"target": null
}
],
"attack_ids": [
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2166,
"FileHash-SHA1": 2067,
"FileHash-SHA256": 3371,
"domain": 13295,
"URL": 6860,
"email": 272,
"hostname": 4705,
"SSLCertFingerprint": 268,
"CVE": 107,
"CIDR": 6
},
"indicator_count": 33117,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 62,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b1fe81a036fb6a5d7fe16c",
"name": "VirusTotal report\n for executable.exe",
"description": "",
"modified": "2026-04-10T23:06:53.889000",
"created": "2026-03-11T23:45:05.153000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1,
"URL": 14,
"hostname": 7,
"domain": 4
},
"indicator_count": 28,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b0f7ac95dc7083708d2091",
"name": "ALBERTA clone arek- btc - same virus.",
"description": "",
"modified": "2026-04-10T05:02:49.470000",
"created": "2026-03-11T05:03:40.599000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "68346e8e3280aa271c02ec21",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 100,
"FileHash-MD5": 178,
"FileHash-SHA1": 178,
"FileHash-SHA256": 1009,
"domain": 129,
"hostname": 321,
"email": 3
},
"indicator_count": 1918,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69aa2bd7c559bc6374229dd5",
"name": "https://app.zencoder.com",
"description": "phishing and medium.com iocs",
"modified": "2026-04-05T01:24:33.524000",
"created": "2026-03-06T01:20:23.852000",
"tags": [
"present mar",
"as13335",
"united",
"aaaa",
"whitelisted",
"a domains",
"status",
"certificate",
"date",
"entries",
"body",
"title",
"html document",
"unicode text",
"utf8 text",
"language"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 133,
"FileHash-MD5": 53,
"FileHash-SHA1": 52,
"FileHash-SHA256": 51,
"domain": 115,
"email": 2,
"hostname": 108
},
"indicator_count": 514,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a8fff72a02303057d559c9",
"name": "http://paragonparkbook.wordpress.com/",
"description": "another Ma expired cert and unsigned dnssec. Creation Date\t2000-03-03T04:13:23\nDnssec\tunsigned\nDomain Name\tWORDPRESS.COM\nDomain Name\twordpress.com\nEmails\tdomains@automattic.com.80 Title\t301 Moved Permanently\n80 Body\thtml head title 301 Moved Permanently /title /head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html\n80 Header\tHTTP/1.1 301 Moved Permanently Server: nginx Date: Thu 05 Mar 2026 03:55:19 GMT Content Type: text/html Content Length: 162 Connection: keep alive Location: https://paragonparkbook.wordpress.com/ Alt Svc: h3= :443 ma=86400 Server Timing: a8c cdn dc desc=sea cache desc=BYPASS dur=0.0\n443 Title\tThe History of Paragon Park When Summer Meant Everything: The Enduring Legacy of Paragon Park\n443 A Domains\tparagonparkbook.wordpress.com",
"modified": "2026-04-04T05:18:12.440000",
"created": "2026-03-05T04:00:55.226000",
"tags": [
"certificate",
"value",
"a domains",
"found a",
"server",
"gmt content",
"length",
"header http2",
"arizona",
"scottsdale"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 138,
"domain": 377,
"URL": 117,
"hostname": 95,
"FileHash-MD5": 144,
"email": 3,
"FileHash-SHA256": 1162
},
"indicator_count": 2036,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6998d15c75b59044877602c1",
"name": "Corrupt.... Files",
"description": "beaware",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-02-20T21:25:48.559000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 706,
"FileHash-SHA1": 859,
"FileHash-SHA256": 1480,
"URL": 743,
"domain": 1565,
"email": 55,
"hostname": 912,
"CVE": 54,
"CIDR": 27
},
"indicator_count": 6401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a1535debec4128ab952040",
"name": "I See You, Too. #.icu",
"description": "The NSV4-ICU campaign exhibits a profound cryptographic and linguistic mismatch betokening a Western operator driving a foreign engine. While the tactical codebase utilizes GBK-encoded (Simplified Chinese) metadata, the binary logs reveal a definitive tradecraft failure: the presence of \u00ba\u00c3\u00b0\u00c9 (H\u01ceo ba), a conversational \"Alrighty.\" This is likely a failed attempt to utilize a foreign language on a Western-localized screen, resulting in \"Mojibake\" (garbage text) and the semantic error of identifying the developer as a \"Novelist\" (Zu\u00f2zh\u011b) rather than a \"Programmer.\"\nBy stripping Western UTF-8 telemetry through spoofed Nashville (BNA) and Apple/Google thumbprints, the operator confirms Local Root CA injection and a manual interception pipeline. The .icu (I See You) signature is ultimately undermined by the operator's own metadata\u2014effectively a Westerner shouting in a digital dialect they don't speak, creating a detectable encoding-latency signature that peels back the \"invisible typhoon\" mask.",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-02-27T08:18:37.071000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 294,
"CVE": 22,
"URL": 278,
"FileHash-MD5": 234,
"FileHash-SHA1": 240,
"FileHash-SHA256": 1663,
"hostname": 142,
"YARA": 1,
"email": 13,
"CIDR": 2
},
"indicator_count": 2889,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a2e89660bd5d8eb8a3e520",
"name": ".NET Framework, Cryptographic Stagnation, Legacy Vulnerability, and Pipeline Rot",
"description": "A review of thousands of .NET Framework implementations reveals systemic cryptographic stagnation. The 1997 registration of DOTNET.NET exemplifies this; a foundational pillar of internet registries remains tethered to legacy NameSecure (IANA 30) infrastructure lacking modern hardening. This reliance on unsigned protocols and the absence of DNSSEC represents a critical failure to meet basic cryptographic standards, facilitating a pipeline for code execution and injection abuse. DMARC failures occur as a direct consequence, as underlying cryptographic trust anchors are too degraded to support modern authentication. As the June 2026 Secure Boot expiration approaches, it is evident the engine designed to govern execution operates on a compromised foundation.",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-02-28T13:07:34.771000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 148,
"FileHash-MD5": 95,
"FileHash-SHA1": 168,
"FileHash-SHA256": 403,
"hostname": 150,
"URL": 177,
"email": 6,
"CVE": 14
},
"indicator_count": 1161,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698d30c03b57c38dff915023",
"name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone",
"description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).",
"modified": "2026-03-29T06:02:00.914000",
"created": "2026-02-12T01:45:36.128000",
"tags": [
"The dynamics of the mudoSOSIntersectalign with sophisticated adv"
],
"references": [
"as15169"
],
"public": 1,
"adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URI": 1,
"domain": 2661,
"URL": 6810,
"hostname": 2147,
"email": 56,
"FileHash-SHA256": 2781,
"CVE": 172,
"FileHash-MD5": 365,
"FileHash-SHA1": 344,
"IPv4": 1,
"CIDR": 20940
},
"indicator_count": 36278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 52,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698ef344417f9985660e698b",
"name": "Pulse Data",
"description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.",
"modified": "2026-03-28T07:23:23.210000",
"created": "2026-02-13T09:47:48.788000",
"tags": [
"imphash",
"file type",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"detections tls",
"zeppelin"
],
"references": [
"",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access "
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 646,
"FileHash-SHA1": 604,
"FileHash-SHA256": 1373,
"hostname": 1143,
"domain": 1381,
"URL": 2537,
"CVE": 101,
"email": 25,
"SSLCertFingerprint": 9
},
"indicator_count": 7819,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "22 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "23 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "38 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "38 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b925e85c948d4dd608cc",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:25.852000",
"created": "2026-03-12T13:01:25.852000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e974189d2c41f07ed8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:25.910000",
"created": "2026-03-12T13:00:25.910000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e74d2b3effd55f88c3",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:23.173000",
"created": "2026-03-12T13:00:23.173000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8dfbf8426a7a1d0146d",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:15.427000",
"created": "2026-03-12T13:00:15.427000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d7123610591625b8fb",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:07.354000",
"created": "2026-03-12T13:00:07.354000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d61e3f64a8f1f169b6",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:06.214000",
"created": "2026-03-12T13:00:06.214000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d24eeb4200bdb1d702",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:02.096000",
"created": "2026-03-12T13:00:02.096000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "38 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695555b664c8998371393b8f",
"name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App",
"description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie",
"modified": "2026-01-30T16:01:37.437000",
"created": "2025-12-31T16:56:22.577000",
"tags": [
"espaol",
"metro pcs",
"metro",
"english",
"data",
"privacy",
"learn",
"requires",
"strong",
"see all",
"bernie",
"mint",
"never",
"example",
"click",
"indonesia",
"\u2019m",
"win32mydoom dec",
"united",
"trojan",
"name servers",
"servers",
"expiration date",
"backdoor",
"found",
"passive dns",
"gmt connection",
"control",
"content type",
"twitter",
"title",
"aaaa",
"ember cli",
"ember view",
"certificate",
"win32",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"urls",
"akamai",
"unknown ns",
"domain",
"search",
"ipv4",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"dynamicloader",
"port",
"high",
"medium",
"windows",
"displayname",
"write",
"destination",
"tofsee",
"stream",
"malware",
"hostile",
"read c",
"show",
"rgba",
"unicode",
"whitelisted",
"memcommit",
"delete",
"execution",
"dock",
"persistence",
"msie",
"chrome",
"ip address",
"otx telemetry",
"unknown soa",
"gmt content",
"for privacy",
"moved",
"record value",
"ubuntu date",
"encrypt",
"a domains",
"welcome",
"type",
"content length",
"ipv4 add",
"url analysis",
"accept",
"overview domain",
"files ip",
"address",
"location france",
"asn as16276",
"tags none",
"indicator facts",
"historical otx",
"france unknown",
"ovhcloud meta",
"domain add",
"present dec",
"status",
"service",
"win32cutwail",
"setcookie",
"gmt server",
"refloadapihash",
"virtool",
"present nov",
"present oct",
"all ipv4",
"hostname",
"present jul",
"saudi arabia",
"present mar",
"present jun",
"present feb",
"entries",
"france asn",
"asn as16509",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"hybrid",
"local",
"path",
"strings",
"delete c",
"okrndate",
"grum",
"powershell",
"pegasus",
"unknown",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"push",
"autorun",
"suspicious",
"pulse pulses",
"date",
"music",
"apple",
"apple id",
"show process",
"flag",
"markmonitor",
"name tactics",
"informative",
"command",
"adversaries",
"spawns",
"access att",
"t1566 phishing",
"zerobits",
"allocationtype",
"protect",
"programfiles",
"processhandle",
"commitsize",
"viewsize",
"regionsize",
"handles modules",
"files amsi",
"filehandle",
"path filehandle",
"porthandle",
"copy md5",
"copy sha1",
"copy sha256",
"href",
"null",
"refresh",
"body",
"span",
"general",
"error",
"tools",
"look",
"verify",
"restart",
"html",
"x22scriptx22",
"binary file",
"t1189",
"cyberwarfare",
"brian sabey",
"never say anything",
"christopher ahmann",
"colorado state",
"quasi",
"zombie device",
"present may",
"emails",
"exif standard",
"tiff image",
"windows nt",
"wow64",
"slcc2",
"media center",
"jpeg image",
"copy",
"next",
"pecompact",
"february",
"packer",
"delphi",
"code",
"tlsv1",
"ogoogle trust",
"xserver",
"lowfi",
"creation date",
"domain name",
"showing",
"ids detections",
"yara detections",
"worm",
"arial",
"present aug",
"meta",
"dns domain",
"site",
"free dns",
"msil",
"dnssec",
"penetration",
"injections",
"dead host"
],
"references": [
"https://apps.apple.com/app/",
"metropcs.com/account/sign-in.html",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://freedns.afraid.org/images/exclamation",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"admin@bigtits.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "\u2019m",
"display_name": "\u2019m",
"target": null
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Trojan.Installcore-877",
"display_name": "Win.Trojan.Installcore-877",
"target": null
},
{
"id": "Win.Downloader.Small",
"display_name": "Win.Downloader.Small",
"target": null
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Tibs",
"display_name": "Tibs",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/4Shared",
"display_name": "ALF:JASYP:PUA:Win32/4Shared",
"target": null
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1577",
"name": "Compromise Application Executable",
"display_name": "T1577 - Compromise Application Executable"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1863,
"URL": 4952,
"FileHash-SHA256": 1990,
"FileHash-MD5": 981,
"FileHash-SHA1": 791,
"email": 26,
"domain": 1277,
"SSLCertFingerprint": 24
},
"indicator_count": 11904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "687992eceac6f12e9cebd65f",
"name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
"description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
"modified": "2025-12-28T19:04:27.449000",
"created": "2025-07-18T00:18:50.968000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": null,
"export_count": 375,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 7,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 121,
"modified_text": "111 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64ed117e2308a042e50e1e9e",
"name": "Investigation of Distribution Vectors and Threat Network Infrastructure",
"description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.",
"modified": "2025-11-23T23:20:07.571000",
"created": "2023-08-28T21:28:30.294000",
"tags": [
"Domains",
"ip addresses",
"URLs",
"Files",
"Alberta Health Services",
"BEC",
"Education",
"University of Alberta",
"Government of Alberta",
"Covenant Health Alberta",
"Telus Communications",
"Canadian Universities",
"Malicious Certificates",
"Digital Identity Theft / Credential Theft"
],
"references": [
"https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
"https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
"https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
"https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
"https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
"https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
"https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
"https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
"https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary",
"https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac",
"https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a",
"https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d",
"https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary",
"https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2",
"https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327",
"https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042",
"https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984",
"https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5",
"https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53",
"https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7",
"https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8",
"https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500",
"https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary",
"https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9",
"https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs",
"https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b",
"https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7",
"https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c",
"https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188",
"https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f",
"https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark",
"https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light",
"https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark",
"https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs",
"https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076",
"https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs",
"https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c",
"https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs",
"https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark",
"https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f",
"https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs",
"https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark",
"https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark",
"https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark",
"https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark",
"https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark",
"https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886",
"https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs",
"https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs",
"https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs",
"https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]"
],
"public": 1,
"adversary": "Unknown APT Group(s) / Threat Actor (s)",
"targeted_countries": [
"Canada",
"United States of America",
"Philippines",
"Panama",
"Netherlands",
"Anguilla",
"Saint Vincent and the Grenadines",
"Aruba",
"Mexico",
"Guatemala",
"Costa Rica",
"Tanzania, United Republic of"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 111,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 236,
"FileHash-SHA1": 139,
"FileHash-SHA256": 1421,
"URL": 9580,
"CIDR": 30,
"domain": 10205,
"email": 12,
"hostname": 517612,
"IPv4": 11,
"CVE": 62
},
"indicator_count": 539308,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692131f725473d708579ec3a",
"name": "Drive-by Compromise",
"description": "",
"modified": "2025-11-22T03:45:59.649000",
"created": "2025-11-22T03:45:59.649000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66f31b9a0551ca166c872292",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 439,
"domain": 2416,
"hostname": 2154,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24907,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "148 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f5cfa9b74d6faa43eb6585",
"name": "Indicator Removal service affecting Threat Hunters | Brian Sabey",
"description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-20T05:59:04.173000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f80aa152fdd795fa008e2e",
"name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices",
"description": "",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-21T22:35:13.128000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68f5cfa9b74d6faa43eb6585",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "688716977e80a4274f2eafa9",
"name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more",
"description": "Found in Bot joining Pulse.",
"modified": "2025-08-27T06:03:05.020000",
"created": "2025-07-28T06:20:07.660000",
"tags": [
"present jul",
"united",
"entries",
"search",
"moved",
"ip address",
"creation date",
"record value",
"date",
"showing",
"body",
"meta",
"passive dns",
"next associated",
"win32spigot apr",
"title error",
"ipv4 add",
"pulse pulses",
"urls",
"files",
"adaptivebee",
"worm",
"win32",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results jul",
"location united",
"asn asnone",
"nameservers",
"less whois",
"registrar",
"csc corporate",
"status",
"servers",
"name servers",
"hostname",
"hostname add",
"a domains",
"script urls",
"unknown aaaa",
"technology one",
"script script",
"certificate",
"null",
"trojan",
"twitter",
"domain",
"files ip",
"address domain",
"ip related",
"pulses otx",
"virtool",
"http",
"present jun",
"present may",
"pulse submit",
"url analysis",
"reverse dns",
"australia asn",
"as55532 squiz",
"dns resolutions",
"overview ip",
"address",
"ipv4",
"iocs",
"data upload",
"extraction",
"ided iocs",
"failed",
"shaw",
"ail tvnas",
"rl irl",
"domain add",
"ostname add",
"verdict",
"show",
"types",
"type",
"indicator data",
"searc type",
"a indicator",
"data",
"select across",
"all pages",
"domain domain",
"checked url",
"hostname server",
"response ip",
"address google",
"safe browsing",
"msie",
"chrome",
"present dec",
"base",
"read c",
"port",
"destination",
"delete",
"copy",
"write",
"memcommit",
"cryptexportkey",
"invalid pointer",
"writeconsolea",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"size",
"ascii text",
"crlf line",
"mitre att",
"error",
"click",
"hybrid",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"onload",
"span",
"form",
"adversaries",
"windows nt",
"generic http",
"exe upload",
"inbound",
"outbound",
"yara detections",
"malware",
"expiration date",
"whois show",
"name andrew",
"bauer name",
"div id",
"beginstring",
"beginerror",
"script",
"general",
"cloud",
"find",
"footer",
"ninite feb",
"telper",
"ninite mar",
"ninite apr",
"trojandropper",
"mtb mar",
"url https",
"general full",
"security tls",
"software",
"resource hash",
"protocol h2",
"frankfurt",
"main",
"germany",
"input",
"skype",
"opciones",
"july",
"es form",
"dom name",
"post https",
"imagen",
"microsoft",
"iniciar sesin",
"value",
"variables",
"config",
"debug",
"loader",
"geturl",
"b function",
"addlistener",
"proof",
"amazon02",
"dk summary",
"amazon rsa",
"september",
"browsing",
"resource",
"asn16509",
"name value",
"queueprogress",
"timestamp input",
"status actions"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 487,
"FileHash-SHA1": 461,
"URL": 10732,
"domain": 1672,
"email": 6,
"hostname": 3039,
"FileHash-SHA256": 2569,
"SSLCertFingerprint": 7
},
"indicator_count": 18973,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "235 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "688343b9e60e8693f50e515f",
"name": "Cycbot & worse - Palantir Monitoring Target/s",
"description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous",
"modified": "2025-08-24T06:01:34.920000",
"created": "2025-07-25T08:43:37.734000",
"tags": [
"status",
"united",
"unknown ns",
"passive dns",
"urls",
"creation date",
"search",
"emails",
"date",
"expiration date",
"tcp include",
"top source",
"top destination",
"show",
"source source",
"data upload",
"extraction",
"showing",
"moved",
"certificate",
"ip address",
"domain",
"body",
"present jul",
"present jun",
"present aug",
"present sep",
"trojan",
"name servers",
"twitter",
"vtflooder",
"foundry",
"virustotal",
"gotham",
"palantir",
"tools",
"destination",
"port",
"msie",
"windows nt",
"unknown",
"read c",
"etpro trojan",
"malware",
"copy",
"write",
"infostealer",
"possible",
"virustotal",
"copyleft",
"present jan",
"entries",
"next associated",
"ipv4 add",
"pulse submit",
"url analysis",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"discovery att",
"hostname add",
"files",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"ascii text",
"mitre att",
"pattern match",
"show technique",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"look",
"verify",
"restart",
"se extri",
"referen",
"etpro tr",
"virtool",
"referencec",
"failed",
"se extra",
"eanioae",
"include review",
"exclude sugges",
"includec review",
"exclude",
"suggest data",
"open ports",
"reverse dns",
"location united",
"america flag",
"boardman",
"t1045",
"ck ids",
"packing",
"t1060",
"run keys",
"startup",
"folder",
"t1057",
"discovery",
"t1071",
"value emails",
"name domain",
"org microsoft",
"microsoft way",
"city redmond",
"country us",
"dnssec",
"t1012",
"t1047",
"instrumentation",
"t1053",
"taskjob",
"spyware",
"source",
"signing defense",
"size",
"meta",
"onload",
"dynamicloader",
"unicode text",
"crlf line",
"utf8",
"medium",
"write c",
"default",
"delphi",
"win32",
"code",
"stream",
"next",
"akamai rank",
"show process",
"prefetch2",
"dns server",
"network traffic",
"virus",
"monitored target",
"tofsee",
"generic http",
"exe upload",
"inbound",
"outbound",
"delete",
"yara detections",
"markus",
"flowid22101",
"pixelevtid11771",
"dvid",
"urls show",
"date checked",
"188 palantir results",
"adversaries",
"development att",
"ssl certificate",
"flag",
"stop",
"facebook",
"4328",
"5943",
"stealer",
"unknown aaaa",
"present may",
"domain add",
"hyundaitx",
"twitter",
"monitored tsara",
"brashears",
"apple",
"ios",
"remote",
"cycbot",
"maudio fw",
"heur",
"productversion",
"fileversion",
"maudio firewire"
],
"references": [
"palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/",
"247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com",
"ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain",
"Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)",
"ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection",
"platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/",
"http://legal.twitter.co \u2022 http://mobile.twitter.co/",
"ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com",
"https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com",
"https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com",
"https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com",
"https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com",
"https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/",
"https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com",
"https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com",
"https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com",
"tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com",
"https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022",
"https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/",
"Hostname: hcl-dna-sandbox.palantirfoundry.com",
"https://www.hyundaitx.com/",
"ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check",
"https://remote.downloadnow-1.com/",
"Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp",
"Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection",
"Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source",
"Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004",
"Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |",
"ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vtflooder-9783271-0",
"display_name": "Win.Malware.Vtflooder-9783271-0",
"target": null
},
{
"id": "Trojan.Kazy-237",
"display_name": "Trojan.Kazy-237",
"target": null
},
{
"id": "Trojan.Vundo-5335",
"display_name": "Trojan.Vundo-5335",
"target": null
},
{
"id": "Generic31.BKFG",
"display_name": "Generic31.BKFG",
"target": null
},
{
"id": "Win.Packed.Krucky-6941986-0",
"display_name": "Win.Packed.Krucky-6941986-0",
"target": null
},
{
"id": "ALF:HSTR:KrunchyMalPacker!MTB",
"display_name": "ALF:HSTR:KrunchyMalPacker!MTB",
"target": null
},
{
"id": "Win.Trojan.Agent-920890",
"display_name": "Win.Trojan.Agent-920890",
"target": null
},
{
"id": "Win.Trojan.Jorik-10365",
"display_name": "Win.Trojan.Jorik-10365",
"target": null
},
{
"id": "Trojan.Adload-2492",
"display_name": "Trojan.Adload-2492",
"target": null
},
{
"id": "Trojan.Spy-59563",
"display_name": "Trojan.Spy-59563",
"target": null
},
{
"id": "Ransom:Win32/Cryptor",
"display_name": "Ransom:Win32/Cryptor",
"target": "/malware/Ransom:Win32/Cryptor"
},
{
"id": "Win32/Blacked",
"display_name": "Win32/Blacked",
"target": null
},
{
"id": "Win.Trojan.Cycbot-764",
"display_name": "Win.Trojan.Cycbot-764",
"target": null
},
{
"id": "Trojan.VB-47534",
"display_name": "Trojan.VB-47534",
"target": null
},
{
"id": "Backdoor:Win32/Drixed.J ,",
"display_name": "Backdoor:Win32/Drixed.J ,",
"target": "/malware/Backdoor:Win32/Drixed.J ,"
},
{
"id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"target": null
},
{
"id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn",
"target": null
},
{
"id": "Malware Tool",
"display_name": "Malware Tool",
"target": null
},
{
"id": "Palantir Spyware",
"display_name": "Palantir Spyware",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0030",
"name": "Defense Evasion",
"display_name": "TA0030 - Defense Evasion"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4203,
"domain": 1218,
"email": 9,
"hostname": 2006,
"FileHash-SHA256": 2740,
"FileHash-MD5": 424,
"FileHash-SHA1": 419,
"SSLCertFingerprint": 12
},
"indicator_count": 11031,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "238 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6882e2a53af80b1af320079d",
"name": "VirusTotal - Palantir- KrunchyMalPacker | Vflooder",
"description": "-> Hostname: \u2022 edenglobalpartners.palantirfoundry.com\n\u2022 c.twitterintegration.com\n*Trojan:Win32/Vflooder.E\nIDS Detections:\n- Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup\n\u2022 Virus Total vtapi DOS\n\u2022 Generic HTTP EXE Upload Inbound\n\u2022 Observed Suspicious UA (Mozilla/5.0)\n\u2022 Generic HTTP EXE Upload Outbound || \n*ALF:HSTR:KrunchyMalPacker!MTB\t\n IDS Detections\n-Win32/Vflooder.B Checkin\n\u2022 TLS Handshake Failure\nYara Detections: \nkkrunchy023alpha2\nAlerts:\n\u2022 static_pe_anomaly\n\u2022 suricata_alert\n\u2022 dynamic_function_loading\n\u2022 network_cnc_https_generic\n\u2022 reads_self\n\u2022 network_cnc_http\n\u2022 network_http\n\u2022 packer_unknown_pe_section_name\n\u2022 packer_entropy\n\u2022 injection_rwx ||\n__________\nIP\u2019s Contacted:\n\u2022 34.54.88.138\n\u2022 162.159.140.229\nDomains Contacted\n\u2022 twitter.com (SBKA - Palantir?)\n\u2022 www.virustotal.com\n#botnetresulttesting #virustotal_unsafe #vtflooder #palantir #twitter #gotham foundry #brian_sabey_has_a_new_toy #targeting #tsara_brashears",
"modified": "2025-08-24T01:04:01.801000",
"created": "2025-07-25T01:49:25.325000",
"tags": [
"windows nt",
"dynamicloader",
"contentlength",
"tls handshake",
"failure",
"host",
"show",
"medium",
"search",
"entries",
"copy",
"write",
"malware",
"generic http",
"exe upload",
"inbound",
"outbound",
"domain",
"trojan",
"u0019",
"trojandropper",
"backdoor",
"mtb jul",
"united",
"passive dns",
"open ports",
"win32berbew jul",
"ipv4 add",
"present jul",
"present jun",
"cname",
"present aug",
"present sep",
"status",
"certificate",
"date",
"twitter",
"unknown ns",
"name servers",
"servers",
"showing",
"urls",
"creation date"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1903,
"hostname": 806,
"FileHash-SHA256": 1594,
"FileHash-MD5": 264,
"FileHash-SHA1": 297,
"SSLCertFingerprint": 1,
"domain": 515,
"email": 5
},
"indicator_count": 5385,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "238 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68788dfd4a0943cb318c7137",
"name": "DarkWatchman Chekin Activity",
"description": "",
"modified": "2025-08-16T06:02:36.091000",
"created": "2025-07-17T05:45:33.250000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7596,
"FileHash-SHA1": 3987,
"FileHash-SHA256": 8622,
"URL": 1922,
"domain": 2530,
"hostname": 2524,
"email": 37,
"CVE": 6,
"SSLCertFingerprint": 6
},
"indicator_count": 27230,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686e17b1ac7253ec7e12f1e8",
"name": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile",
"description": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile | ImFurther investigation of familiar IoC\u2019s in Tethering T-mobile to iOS research. \n\nPalantir is the the Cyber Defense Firm that provides the weapons, man force, military, false arrest records ,reputation damage, the man who drove her off the road, constant stalking and the marketing of her music in other media.\n Realize this hot stock you\u2019re investing is a domestic and international terrorist organization. There are several\nPeople here being 24/7/365 monitored.\nThey have fulfillment centers from Amazon and can provide food to medicine, they have the entire military, all\ngovernment contracts and their own physicians. \n\n#malware #foundry #rip #palantir # twitter #paypalmafia #quasi #government # workerscompensation #law_enforcement # #jeffreyreimer #sabey #tsarabrashearslivesinourhearts",
"modified": "2025-08-08T06:00:40.325000",
"created": "2025-07-09T07:18:09.062000",
"tags": [
"present jun",
"united",
"status",
"present may",
"present sep",
"search",
"date",
"entries",
"trojan",
"name servers",
"ransom",
"twitter",
"redacted for",
"showing",
"passive dns",
"urls",
"softlayer",
"internet",
"encrypt",
"record value",
"body",
"service",
"russia",
"spain",
"germany",
"netherlands",
"aaaa",
"france",
"virtool",
"creation date",
"expiration date",
"servers",
"hostname add",
"pulse pulses",
"files",
"present aug",
"ip address",
"applenoc",
"unknown ns",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"unknown aaaa",
"secure server",
"msie",
"chrome",
"moved",
"title",
"gmt content",
"type",
"pulse submit",
"http",
"hostname",
"files domain",
"files related",
"pulses otx",
"pulses",
"related tags",
"google safe",
"indicator role",
"title added",
"active related",
"url https",
"dynamicloader",
"write c",
"windows nt",
"wow64",
"slcc2",
"media center",
"html",
"as15169",
"write",
"xport",
"copy",
"guard",
"malware",
"suspicious",
"next",
"extraction",
"data upload",
"failed",
"extri data",
"include review",
"exclude",
"sugges",
"stop x",
"s data",
"extr data",
"extraction data",
"enter soudcetdi",
"ad tevdag",
"cadad ad",
"draie",
"extri include",
"review",
"done",
"levelblue",
"exclude sugges",
"uny inuuue",
"find s",
"typ hos",
"script urls",
"canada unknown",
"script domains",
"a domains"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 181,
"FileHash-SHA1": 154,
"FileHash-SHA256": 1857,
"domain": 1424,
"email": 13,
"hostname": 1304,
"URL": 4168,
"CVE": 1,
"SSLCertFingerprint": 4
},
"indicator_count": 9106,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "254 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "688b0fbceab364a2b84b1124",
"name": "Busybox MIORI Hackers - ongoing Aurora , Medical Campus -Mirai [by scoreblue -Team 8]",
"description": "",
"modified": "2025-07-31T06:39:56.204000",
"created": "2025-07-31T06:39:56.204000",
"tags": [
"idnischdr http",
"computer",
"america asn",
"as7018 att",
"url https",
"america",
"united states",
"united",
"germany",
"italy",
"trojan",
"all scoreblue",
"report spam",
"created",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"all search",
"author avatar",
"miori hackers",
"file score",
"detections elf",
"path",
"busybox busybox",
"brute force",
"attack bad",
"login yara",
"detections",
"sid name",
"malware cve",
"suspicious path",
"busybox",
"activity",
"system",
"malware beacon",
"bad login",
"attack",
"port",
"destination",
"show",
"search",
"exif data",
"property value",
"elf info",
"key value",
"x86 baddr",
"elf64 crypto",
"final url",
"ip address",
"status code",
"body",
"kb body",
"sha256",
"server",
"gmt connection",
"date sun",
"gmt contenttype",
"filehashsha256",
"crazy doll",
"next",
"key identifier",
"x509v3 subject",
"data",
"v3 serial",
"number",
"cgb stgreater",
"cnsectigo rsa",
"secure server",
"ca validity",
"cus stcolorado",
"info",
"director",
"orgtechhandle",
"orgtechref",
"university",
"whois lookup",
"netrange",
"nethandle",
"net168",
"net1680000",
"ucha",
"network",
"registry arin",
"country us",
"continent na",
"meta",
"script script",
"lance mueller",
"mueller",
"unknown",
"script urls",
"photography",
"passive dns",
"urls",
"model",
"creation date",
"hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"status",
"http",
"record value",
"emails",
"dnssec",
"domain name",
"backdoor",
"bad request",
"entries",
"title style",
"f2f2f2 color",
"helvetica neue",
"exploit",
"browse scan",
"endpoints all",
"search otx",
"related pulses",
"file samples",
"files matching",
"as44273 host",
"showing",
"telper",
"date hash",
"copyright",
"url http",
"win64",
"as53665 bodis",
"aaaa",
"as206834 team",
"canada unknown",
"read c",
"create c",
"write c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"delete c",
"dock",
"write",
"execution",
"copy",
"xport",
"1575038779",
"medium",
"capture",
"malware",
"february",
"as61969 team",
"servers",
"domain robot",
"expiration date",
"as714 apple",
"as42 woodynet",
"nxdomain",
"name servers",
"a nxdomain",
"ipv4",
"found",
"control",
"content type",
"as20940",
"asnone united",
"as701 verizon",
"as2914 ntt",
"win32",
"certificate",
"date",
"dynamicloader",
"high",
"t1055",
"attempts",
"yara detections",
"bitcoinaltcoin",
"code injection",
"high defense",
"ip related",
"pulses otx",
"pulses",
"overview domain",
"files ip",
"address domain",
"related tags",
"pulse pulses",
"div div",
"as49505",
"span",
"form",
"as6185 apple",
"china",
"as4812 china",
"as17816 china",
"as4134 chinanet",
"scan endpoints",
"trojan features",
"enigmaprotector",
"dynamic",
"powershell",
"filehash",
"for privacy",
"ltd dba",
"com laude",
"cname",
"cve20170147 sep",
"verdict",
"as63949 linode",
"https",
"as8075",
"united kingdom",
"whitelisted",
"as25825",
"moved",
"aurora",
"redacted for",
"whois lookups",
"orgid",
"east",
"seen",
"update date",
"cidr",
"netname uch",
"parent net168",
"nettype direct",
"contacted",
"tulach",
"brian sabey"
],
"references": [
"ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/",
"ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc",
"ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
"ELF:Mirai-TO\\ [Trj] tulach.cc",
"ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
"IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox",
"IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"Yara Detections: is__elf",
"168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US",
"www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63",
"Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html",
"webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com",
"girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net",
"http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend",
"Title The page title. Chieti Meteo - Webcam Abruzzo",
"Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55",
"savethemalesdenver.com | brasville.com.br?",
"168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org",
"Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US",
"CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:",
"Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145",
"Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com",
"IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit",
"IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin",
"IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request",
"IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)",
"Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349",
"http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584",
"http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912",
"http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910",
"http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552",
"chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.",
"Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam",
"Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4",
"Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com",
"Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net",
"Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com",
"Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3",
"Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg",
"Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644",
"Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security",
"Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread",
"Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com",
"Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com"
],
"public": 1,
"adversary": "busybox MIORI Hackers",
"targeted_countries": [
"United States of America",
"Mexico"
],
"malware_families": [
{
"id": "TrojanDownloader:Win32/Bulilit",
"display_name": "TrojanDownloader:Win32/Bulilit",
"target": "/malware/TrojanDownloader:Win32/Bulilit"
},
{
"id": "ELF:Mirai-TO\\ [Trj]",
"display_name": "ELF:Mirai-TO\\ [Trj]",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.B",
"display_name": "Backdoor:Linux/Mirai.B",
"target": "/malware/Backdoor:Linux/Mirai.B"
},
{
"id": "TELPER:HSTR:DotCisOffer",
"display_name": "TELPER:HSTR:DotCisOffer",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Backdoor:Win32/Bladabindi",
"display_name": "Backdoor:Win32/Bladabindi",
"target": "/malware/Backdoor:Win32/Bladabindi"
},
{
"id": "ALF:E5",
"display_name": "ALF:E5",
"target": null
},
{
"id": "Win.Malware.Midie-9950743-0",
"display_name": "Win.Malware.Midie-9950743-0",
"target": null
},
{
"id": "Trojan:Win32/Emotet.ARJ!MTB",
"display_name": "Trojan:Win32/Emotet.ARJ!MTB",
"target": "/malware/Trojan:Win32/Emotet.ARJ!MTB"
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66fb3c4e8a2593134641f3c0",
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 459,
"FileHash-MD5": 1228,
"FileHash-SHA1": 1163,
"FileHash-SHA256": 2243,
"domain": 876,
"hostname": 1088,
"CIDR": 2,
"email": 17,
"CVE": 2,
"SSLCertFingerprint": 5
},
"indicator_count": 7083,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "262 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "682f7a9015233e9fef91432f",
"name": "Twitter adware.domaiq/lollipop - Pegasus related | iOS | Twitter intel",
"description": "Dropped from Pegasus IOCs\n\u2022msn.com/en-us/news/politics/house-democ-%0Arats-in-close-races-try-to-show-they-hear-voter-c\n\u2022msn.com\n\u2022msn.com/en-us/news/politics/house-democ-race-in-close-races-try-to-show-they-hear-voter-\n\u2022https://www.msn.com/en-us/news/politics/house-democ-%0Arats-in-close-races-try-to-show-they-hear-voter-c\t\nwww.politics.county.com.\n\u2022https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t\n\u2022https://www.anyxxxtube.net/search-porn/tsara-brashears/ \nTwitter intel links?\nintel.com\nintellicast.com\nhttp://103.246.145.11//gateonl.php?hwid=WALKER-PC-WALKER&cpuname=l\nCrowdsourced IDS Matches: MALWARE-CNC Win.Adware.DomaIQ variant outbound connection\ne INDICATOR-OBFUSCATION UTF-8 evasion attempt\n\u2022 SERVER-OTHER Squid HTTP Vary response header denial of service attempt\n\u2022chunked message body was truncated \u2022 (http_inspect) URI path contains consecutive slash characters || Yara: Win32_PUA_Domaiq #malicious #phishing \n#target #danger #iiOS",
"modified": "2025-06-21T14:01:14.773000",
"created": "2025-05-22T19:27:12.110000",
"tags": [
"domain related"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 32,
"domain": 15,
"FileHash-SHA256": 407,
"FileHash-MD5": 35,
"FileHash-SHA1": 34,
"hostname": 135,
"CVE": 1,
"email": 1
},
"indicator_count": 660,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "302 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "682ec20b31f362e2b1146339",
"name": "Isolated & related Twitter / Apple IOCs | Pegasus related attacks -ongoing",
"description": "TwitterX.com migration | Unknown Running on: Tsa B CMS: Express Powered by: Express\nBlock ID: EVA120 ?\nInteresting relationships: \nappleid.com \u2022\napple.com \u2022\napple.twitter.com | #whitelisting #twitter #apple #pegasus #targeting #redirects #remotely #rmsmodule",
"modified": "2025-06-21T05:04:45.181000",
"created": "2025-05-22T06:19:55.837000",
"tags": [
"hostname",
"no expiration",
"expiration",
"filehashsha256",
"url http",
"type indicator",
"role title",
"related pulses",
"ipv4",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"results apr",
"present jan",
"present apr",
"entries related",
"domains show",
"search",
"domain related",
"b cms",
"block id",
"url https",
"added active",
"dns endpoint",
"security scan",
"iocs",
"learn more",
"domain",
"indicators show"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 15,
"FileHash-SHA1": 15,
"FileHash-SHA256": 15,
"domain": 277,
"email": 3,
"URL": 46,
"hostname": 193
},
"indicator_count": 564,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "302 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "678f0dbdbc59dd2ea5656dcf",
"name": "Order ",
"description": "",
"modified": "2025-01-21T03:00:13.071000",
"created": "2025-01-21T03:00:13.071000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66f31b9a0551ca166c872292",
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aclause21",
"id": "303913",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 439,
"domain": 2416,
"hostname": 2154,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24907,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 31,
"modified_text": "453 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66fc29a49b5ac693c8d75122",
"name": "Medical Campus - Aurora, Co | Recheck",
"description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB",
"modified": "2024-10-31T16:03:52.240000",
"created": "2024-10-01T16:56:04.004000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3850,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3329,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31779,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "535 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66fb3c4e8a2593134641f3c0",
"name": "busybox MIORI Hackers - attack Aurora, Medical Campus -Mirai",
"description": "*Tipped-Patient reports computers with fully locked screens log in every time she enters a room at UC Health Anshutz Campus. Unauthorized Login: http://ITSupport.UCHealth.org. Graphs deleted from Virus Total\u00bbLogin ID: 168.200.45.168 [bound]. I've tried to post pulse multiple times. IP's were contacted. Brute force attempts on my device. Anyway it's Tulach. There is a 'pro- ale' and other 'monitoring, silencing, dangerous groups' silencing crime victims, journalists, dissents, potential whistle blowers. One victim attacked physically losing health battle. Doctors unwilling to treat.Auto populated\u00bb The full text of the Mirai-TO malware, which was launched on Friday, has now been published on the website of www.forensickb.co.uk..com. hmmm...there was a counter attack.",
"modified": "2024-10-30T22:04:06.705000",
"created": "2024-10-01T00:03:26.199000",
"tags": [
"idnischdr http",
"computer",
"america asn",
"as7018 att",
"url https",
"america",
"united states",
"united",
"germany",
"italy",
"trojan",
"all scoreblue",
"report spam",
"created",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"all search",
"author avatar",
"miori hackers",
"file score",
"detections elf",
"path",
"busybox busybox",
"brute force",
"attack bad",
"login yara",
"detections",
"sid name",
"malware cve",
"suspicious path",
"busybox",
"activity",
"system",
"malware beacon",
"bad login",
"attack",
"port",
"destination",
"show",
"search",
"exif data",
"property value",
"elf info",
"key value",
"x86 baddr",
"elf64 crypto",
"final url",
"ip address",
"status code",
"body",
"kb body",
"sha256",
"server",
"gmt connection",
"date sun",
"gmt contenttype",
"filehashsha256",
"crazy doll",
"next",
"key identifier",
"x509v3 subject",
"data",
"v3 serial",
"number",
"cgb stgreater",
"cnsectigo rsa",
"secure server",
"ca validity",
"cus stcolorado",
"info",
"director",
"orgtechhandle",
"orgtechref",
"university",
"whois lookup",
"netrange",
"nethandle",
"net168",
"net1680000",
"ucha",
"network",
"registry arin",
"country us",
"continent na",
"meta",
"script script",
"lance mueller",
"mueller",
"unknown",
"script urls",
"photography",
"passive dns",
"urls",
"model",
"creation date",
"hostname",
"pulse submit",
"url analysis",
"files",
"domain",
"status",
"http",
"record value",
"emails",
"dnssec",
"domain name",
"backdoor",
"bad request",
"entries",
"title style",
"f2f2f2 color",
"helvetica neue",
"exploit",
"browse scan",
"endpoints all",
"search otx",
"related pulses",
"file samples",
"files matching",
"as44273 host",
"showing",
"telper",
"date hash",
"copyright",
"url http",
"win64",
"as53665 bodis",
"aaaa",
"as206834 team",
"canada unknown",
"read c",
"create c",
"write c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"delete c",
"dock",
"write",
"execution",
"copy",
"xport",
"1575038779",
"medium",
"capture",
"malware",
"february",
"as61969 team",
"servers",
"domain robot",
"expiration date",
"as714 apple",
"as42 woodynet",
"nxdomain",
"name servers",
"a nxdomain",
"ipv4",
"found",
"control",
"content type",
"as20940",
"asnone united",
"as701 verizon",
"as2914 ntt",
"win32",
"certificate",
"date",
"dynamicloader",
"high",
"t1055",
"attempts",
"yara detections",
"bitcoinaltcoin",
"code injection",
"high defense",
"ip related",
"pulses otx",
"pulses",
"overview domain",
"files ip",
"address domain",
"related tags",
"pulse pulses",
"div div",
"as49505",
"span",
"form",
"as6185 apple",
"china",
"as4812 china",
"as17816 china",
"as4134 chinanet",
"scan endpoints",
"trojan features",
"enigmaprotector",
"dynamic",
"powershell",
"filehash",
"for privacy",
"ltd dba",
"com laude",
"cname",
"cve20170147 sep",
"verdict",
"as63949 linode",
"https",
"as8075",
"united kingdom",
"whitelisted",
"as25825",
"moved",
"aurora",
"redacted for",
"whois lookups",
"orgid",
"east",
"seen",
"update date",
"cidr",
"netname uch",
"parent net168",
"nettype direct",
"contacted",
"tulach",
"brian sabey"
],
"references": [
"ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/",
"ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc",
"ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
"ELF:Mirai-TO\\ [Trj] tulach.cc",
"ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
"IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox",
"IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"Yara Detections: is__elf",
"168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US",
"www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63",
"Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html",
"webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com",
"girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net",
"http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend",
"Title The page title. Chieti Meteo - Webcam Abruzzo",
"Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55",
"savethemalesdenver.com | brasville.com.br?",
"168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org",
"Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US",
"CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:",
"Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145",
"Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com",
"IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit",
"IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin",
"IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request",
"IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)",
"Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349",
"http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584",
"http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912",
"http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910",
"http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552",
"chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.",
"Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam",
"Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4",
"Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com",
"Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net",
"Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com",
"Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3",
"Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg",
"Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644",
"Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security",
"Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread",
"Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com",
"Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com"
],
"public": 1,
"adversary": "busybox MIORI Hackers",
"targeted_countries": [
"United States of America",
"Mexico"
],
"malware_families": [
{
"id": "TrojanDownloader:Win32/Bulilit",
"display_name": "TrojanDownloader:Win32/Bulilit",
"target": "/malware/TrojanDownloader:Win32/Bulilit"
},
{
"id": "ELF:Mirai-TO\\ [Trj]",
"display_name": "ELF:Mirai-TO\\ [Trj]",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.B",
"display_name": "Backdoor:Linux/Mirai.B",
"target": "/malware/Backdoor:Linux/Mirai.B"
},
{
"id": "TELPER:HSTR:DotCisOffer",
"display_name": "TELPER:HSTR:DotCisOffer",
"target": null
},
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Backdoor:Win32/Bladabindi",
"display_name": "Backdoor:Win32/Bladabindi",
"target": "/malware/Backdoor:Win32/Bladabindi"
},
{
"id": "ALF:E5",
"display_name": "ALF:E5",
"target": null
},
{
"id": "Win.Malware.Midie-9950743-0",
"display_name": "Win.Malware.Midie-9950743-0",
"target": null
},
{
"id": "Trojan:Win32/Emotet.ARJ!MTB",
"display_name": "Trojan:Win32/Emotet.ARJ!MTB",
"target": "/malware/Trojan:Win32/Emotet.ARJ!MTB"
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 459,
"FileHash-MD5": 1228,
"FileHash-SHA1": 1163,
"FileHash-SHA256": 2243,
"domain": 876,
"hostname": 1088,
"CIDR": 2,
"email": 17,
"CVE": 2,
"SSLCertFingerprint": 5
},
"indicator_count": 7083,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "535 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66f31b9a0551ca166c872292",
"name": "Drive-by Compromise - Cyber warfare 4K + Unsuspecting potential victims",
"description": "Network outage. Severe attack appears to disseminate from Denver, Co Charter Communications /Spectrum Denver - network and devices hacked. Successful at bringing down the network of 4000 + Whitesky clients, remotely sourcing targeted devices, leaking confidential information, phishing, deletng countless files. Most people in homes and building managers are referring to the multi day outage as outage or glitch. Located targeted devices, files encrypted, forced content, dumping & other malicious activity. \n*Cyber Folks .pl\n*https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n|| DDoS:Linux/Gafgyt.YA!MTB\nCVE-2017-17215\nVirus:Win32/Sivis.A\nBackdoor:Win32/Tofsee\nCVE-2014-8361\nCVE-2023-27350\nM1\nMirai\nNIDS\nOneLouder\nRansom\nRansom:Win32/Haperlock\nTEL:CreateScheduledTask ,\nTofsee , Trojan:Win32/Neurevt , Zombie.A ,TrojanSpy ,\nUnix.Trojan.Mirai ,Oxypumper , Qshell , Installcore ,Sarwent",
"modified": "2024-10-24T19:00:50.385000",
"created": "2024-09-24T20:05:46.785000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 439,
"domain": 2416,
"hostname": 2154,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24907,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "541 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66f100d791f9f9f6ab7b4f24",
"name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
"description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
"modified": "2024-10-23T05:03:21.045000",
"created": "2024-09-23T05:47:03.625000",
"tags": [
"isp charter",
"usage type",
"fixed line",
"isp hostname",
"domain name",
"country united",
"america city",
"denver",
"colorado",
"ip address",
"whois",
"check",
"information isp",
"inc usage",
"type fixed",
"line isp",
"hostname",
"plesk forum",
"centos web",
"panel forum",
"whois lookup",
"netrange",
"nethandle",
"net107",
"net1070000",
"cc3517",
"inc orgid",
"dr city",
"stateprov",
"postalcode",
"status",
"as7843 charter",
"united",
"name servers",
"passive dns",
"urls",
"domain",
"search",
"emails",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"files",
"reverse dns",
"location united",
"win32",
"abuseipdb",
"read",
"write",
"read c",
"server header",
"show",
"suspicious",
"kelihos",
"trojan",
"artemis",
"virustotal",
"download",
"drweb",
"vipre",
"panda",
"malware",
"specified",
"next",
"et trojan",
"et info",
"medium",
"http",
"ids detections",
"yara detections",
"e98c1cec8156",
"as11426 charter",
"as20001 charter",
"as11427 charter",
"as11351 charter",
"as16787 charter",
"as33363 charter",
"as20115 charter",
"as10796 charter",
"as12271 charter",
"body",
"servers",
"all search",
"entries",
"intel",
"ms windows",
"windows nt",
"destination",
"port",
"asnone",
"heurunsec",
"etpro trojan",
"nxdomain",
"a nxdomain",
"aaaa",
"asnone united",
"aaaa nxdomain",
"backdoor",
"pulse submit",
"url analysis",
"location oxford",
"as3456 charter",
"moved",
"showing",
"body doctype",
"html public",
"ietfdtd html",
"as6976 verizon",
"as701 verizon",
"file samples",
"files matching",
"date hash",
"copyright",
"levelblue",
"related pulses",
"pulse pulses",
"kryptikpii",
"msr apr",
"date",
"creation date",
"analyzer paste",
"iocs",
"samples",
"secure server",
"cname",
"as5742",
"body head",
"object moved",
"content length",
"content type",
"cookie",
"as15133 verizon",
"lowfi",
"gmt server",
"ecacc",
"record value",
"oxford",
"michigan",
"ns nxdomain",
"soa nxdomain",
"url http",
"mitre att",
"evasion ta0005",
"creates",
"discovery t1082",
"reads software",
"file",
"t1083 reads",
"jujubox",
"zenbox",
"get http",
"request",
"host",
"win64",
"khtml",
"gecko",
"response",
"cus cndigicert",
"tls rsa",
"user",
"javascript c",
"doscom c",
"text c",
"files c",
"storage",
"file system",
"filesadobe c",
"appdata",
"appdatalocal",
"hostnames",
"ta0002 command",
"t1059 very",
"t1064",
"javascript",
"modules t1129",
"ta0003 create",
"modify system",
"process t1543",
"windows service",
"cisco umbrella",
"blacklist",
"safe site",
"filerepmalware",
"microsoft",
"phishing bank",
"sgeneric",
"malware site",
"unsafe",
"number",
"cus cngts",
"ogoogle trust",
"subject",
"algorithm",
"cus ouserver",
"ouserver ca",
"record type",
"ttl value",
"msms86718722",
"query",
"open",
"capa",
"create process",
"windows create",
"delete file",
"write file",
"windows check",
"os version",
"enumerate",
"hashes",
"signals mutexes",
"mutexes",
"open threat",
"location los",
"emails info",
"expiration date",
"write c",
"process32nextw",
"regsetvalueexa",
"regdword",
"module load",
"t1129",
"as51167 contabo",
"germany unknown",
"as40021 contabo",
"encrypt",
"hosting",
"netherlands asn",
"as204601 zomro",
"pulses",
"tags",
"related tags",
"indicator facts",
"historical otx",
"files ip",
"asnone germany",
"as174 cogent",
"czechia unknown",
"whitelisted",
"certificate",
"bittorrent dht",
"post http",
"et p2p",
"cryptexportkey",
"invalid pointer",
"delete c",
"post utcore",
"benchhttp",
"mozilla",
"maldoc",
"service",
"tools",
"nids",
"et",
"x95xd3xa4",
"regbinary",
"hx88x89",
"kx82xd3x11",
"xb9x8b",
"x8dxb7xb7",
"hx88x9ax1e",
"mx81xd1r",
"x92xac",
"stream",
"persistence",
"execution",
"dynamicloader",
"contacted",
"domains",
"yara rule",
"high",
"dynamic",
"pcap",
"pushdo",
"msie",
"activity beacon",
"malware beacon",
"default",
"redacted for",
"for privacy",
"as3379 kaiser",
"server",
"gmt content",
"type",
"x frame",
"entries http",
"scans show",
"domain related",
"no data",
"tag count",
"fakedout threat",
"analyzer threat",
"url summary",
"ip summary",
"summary",
"sample",
"detection list",
"components",
"zune",
"etpro",
"nod32",
"avast avg",
"next http",
"example domain",
"title meta",
"invalid url",
"akamai",
"urls http",
"as20940",
"as16625 akamai",
"netherlands",
"germany",
"france",
"virtool",
"rock",
"address",
"apache",
"accept",
"as8075",
"pulse http",
"related nids",
"files location",
"moldova related",
"pulses none",
"as31898 oracle",
"title",
"kryptiklfq",
"win32dh",
"vitro",
"shutdown",
"erase",
"find",
"close",
"as53418",
"hat server",
"as797 att",
"script urls",
"a domains",
"as10753 level",
"script script",
"meta",
"path",
"null",
"stop",
"as54113",
"chrome",
"as7018 att",
"as28521",
"mexico unknown",
"fastly error",
"please",
"sea p",
"object",
"set cookie",
"pragma",
"as19536 directv",
"united kingdom",
"as60664 xion",
"trojan features",
"moldova unknown",
"susp",
"breaking news",
"business",
"finance",
"entertainment",
"sports",
"games",
"trending videos",
"weather",
"home",
"as396982 google",
"url https",
"type indicator",
"role title",
"added active",
"cyberfolks",
".pl",
"level 3"
],
"references": [
"ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
"dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
"dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
"Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
"Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
"IDS Detections: Suspicious double Server Header Possible Kelihos",
"IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
"telemetry-incoming.r53-2.services.mozilla.com",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
"http://www.door.net/ARISBE/arisbe.htm",
"talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
"https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany",
"Hungary",
"Ukraine",
"Spain",
"Brazil",
"Russian Federation",
"Moldova, Republic of",
"Japan",
"Ireland",
"Luxembourg",
"Canada"
],
"malware_families": [
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Cerber Ransomware",
"display_name": "Cerber Ransomware",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Inject3.QGY",
"display_name": "Inject3.QGY",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "NOD32",
"display_name": "NOD32",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "Sf:ShellCode-AU\\ [Trj]",
"display_name": "Sf:ShellCode-AU\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba",
"display_name": "Trojan:Win32/Glupteba",
"target": "/malware/Trojan:Win32/Glupteba"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2060,
"hostname": 3067,
"CIDR": 4,
"URL": 1300,
"email": 29,
"FileHash-MD5": 3181,
"FileHash-SHA1": 1994,
"FileHash-SHA256": 3228,
"CVE": 2,
"SSLCertFingerprint": 1
},
"indicator_count": 14866,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "543 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"div>
",
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark",
"IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004",
"ELF:Mirai-TO\\ [Trj] tulach.cc",
"By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
"https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary",
"Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
"https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs",
"Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |",
"IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"www.pornhubselect.com | pornhub.software",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam",
"\u2193Command and Control \u2193",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602",
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
"https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com",
"The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
"Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector , xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
"CNC Hostname: urlspirit.spiritsoft.cn",
"https://discuss.ai.google.dev/c/gemma/10",
"https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8",
"https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"fmfmobile.fe.apple-dns.net",
"dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
"ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
"Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
"https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl",
"Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a",
"Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
"https://freedns.afraid.org/images/exclamation",
"https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d",
"The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com",
"airinthemorning.net",
"https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com",
"The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
"https://m.bigwetbutts.com/ tmi",
"https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark",
"ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection",
"https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022",
"http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912",
"Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644",
"https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
"ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996",
"https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327",
"Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs",
"https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com",
"Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7",
"https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9",
"ELF:Mirai-TO\\ [Trj] 12.111.210.191 | United States of America ASN AS7018 att services inc",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Requires further research.",
"https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary",
"https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188",
"http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556 | http://girlsandtheir.webcam/&_=1727665483552",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"https://www.hyundaitx.com/",
"Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net",
"https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
"https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark",
"https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c",
"https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com",
"https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login",
"webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com",
"savethemalesdenver.com | brasville.com.br?",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"IDS Detections: busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox",
"IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit",
"It appears there are 5-7 known affected that I was able to find",
"http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910",
"Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security",
"applestore.net",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs",
"https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
"dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
"developer.huawei.com",
"https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark",
"https://apps.apple.com/app/",
"Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source",
"https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs",
"tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://notredamewormhoutnet.appleid.com/",
"metropcs.com/account/sign-in.html",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2",
"https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"https://families.google/intl/pt-PT_ALL/familylink/",
"https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.",
"https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53",
"https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |",
"Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com",
"https://remote.downloadnow-1.com/",
"https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
"ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
"Same legal , and quasi governmental pattern identified",
"palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/",
"https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f",
"CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:",
"telemetry-incoming.r53-2.services.mozilla.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com",
"as15169",
"admin@bigtits.com",
"https://l.us-1.a.mimecastprotect.com/l",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c",
"https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
"The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
"Obfuscation: XOR-based String Encryption (0x20)",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"Yara Detections: is__elf , DemonBot",
"news-publisher.pictures",
"ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
"Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
"Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com",
"Basic Properties Regional Internet Registry ARIN Country US Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886",
"https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
"ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ || [Trj] http://itsupport.uchealth.org/",
"Title The page title. Chieti Meteo - Webcam Abruzzo",
"Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com",
"http://www.door.net/ARISBE/arisbe.htm",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
"Mirai: simswap.in",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light",
"ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com",
"ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain",
"Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies deletes_executed_files infostealer_bitcoin injection_createremotethread",
"IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request",
"DISTINCTIO8.pdf",
"Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com",
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"https://tulach.cc/ | tulach.cc |",
"By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)",
"https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark",
"https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
"https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7",
"Address 198.185.159.144 , 198.185.159.145 , 198.49.23.144 , 198.49.23.145",
"http://legal.twitter.co \u2022 http://mobile.twitter.co/",
"Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"mastodon.social",
"Hostname: hcl-dna-sandbox.palantirfoundry.com",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/",
"https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark",
"Yara Detections: is__elf",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042",
"IDS Detections: Suspicious double Server Header Possible Kelihos",
"I apologize for the lack of reference.",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63",
"https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs",
"https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984",
"girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net ns2.parkingcrew.net",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
"http://certs.apple.com/appleistca2g1_bc.cer",
"p155-fmfmobile.icloud.com",
"168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs",
"168.200.5.0/24: Autonomous System Number :18693 || Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com",
"4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access ",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com",
"chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.",
"his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
"https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b",
"T1110.001 (Brute Force: Password Guessing)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55",
"https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3",
"https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]",
"IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)",
"https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5",
"https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac",
"https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com",
"http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend",
"Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
"busybox MIORI Hackers",
"Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act",
"Unknown APT Group(s) / Threat Actor (s)"
],
"malware_families": [
"#lowfi:lua:dllsuspiciousexport.a",
"Cerber ransomware",
"Systweak",
"Skynet",
"Paragon (pegasus variant)",
"Zeus",
"Bambernek",
"Noname057",
"#lowfi:exploit:java/cve-2012-0507",
"Ransom",
"Trojan.spy-59563",
"Win.malware.midie-9950743-0",
"\u2019m",
"Trojan:js/berbew",
"Ransom:win32/cryptor",
"Win.packed.krucky-6941986-0",
"Alf:e5",
"Backdoor:win32/bladabindi",
"Inject3.qgy",
"Win.trojan.agent-920890",
"Trojan:win32/smkldr.h!mtb",
"Xloader for ios - s0490",
"Win.trojan.sarwent-10012602-0",
"Softcnapp",
"Cve-2017-17215",
"Worm:win32/autorun",
"Target saver",
"Kraddare",
"Win.malware.jaik-9968280-0",
"Unix.trojan.mirai-6981169-0",
"Tofsee",
"#lowfitrojan:html/iframe",
"Starfighter (javascript)",
"Trojan.vundo-5335",
"Alf:hstr:krunchymalpacker!mtb",
"Palantir spyware",
"Redline",
"Alf:jasyp:pua:win32/4shared",
"Ddos:linux/gafgyt.ya!mtb",
"Pegasus for android - mob-s0032",
"Backdoor:linux/mirai",
"#lowfi:hstr:virtool:win32/gendecnryptalgo.s02",
"Generic31.bkfg",
"Telper:hstr:dotcisoffer",
"Alf:html/phishing",
"Mirai (windows)",
"Zeroaccess - s0027",
"Trojandownloader:win32/bulilit",
"Swrort",
"Hacktool",
"Virus:win32/sivis.a",
"Win.trojan.barys-10005825-0",
"Trojandownloader:win32/cutwail",
"Trojan:win32/zombie.a",
"Win:zgrat",
"Elf:mirai-to\\ [trj]",
"Trojan:win32/emotet.arj!mtb",
"Malware tool",
"Kelihos",
"Artro",
"Win.malware.oxypumper-6900435-0",
"Emotet",
"Wacatac.",
"Win.trojan.installcore-1177",
"Trojan.vb-47534",
"Careto",
"Html smuggling",
"Backdoor:win32/drixed.j ,",
"Trojandownloader:linux/mirai",
"#lowfi:hstr:win32/mediadownloader",
"Trojan.adload-2492",
"Ransom:win32/haperlock",
"Malware family: stealthworker / gobrut",
"Win.trojan.jorik-10365",
"Blacknet",
"Win32/blacked",
"Nids",
"Xrat",
"Md5 hash: f8add7e7161460ea2b1970cf4ca535bf",
"Trojanspy",
"Et",
"Trojan.kazy-237",
"Tinba",
"Virtool:win32/obfuscator",
"Nod32",
"Alf:heraklezeval:pws:win32/ldpinch!rfn",
"Tibs",
"Onelouder",
"Tiggre",
"Graphite (pegasus variant)",
"Alf:backdoor:java/webshell",
"Win.malware.vtflooder-9783271-0",
"Cve-2014-8361",
"Zbot",
"Trojan:win32/glupteba",
"Icedid",
"M1",
"Win.trojan.cycbot-764",
"Pegasus for ios - s0289",
"Pegasus for mac",
"Win.downloader.small",
"Alf:backdoor:powershell/reverseshell",
"Trojan:win32/neurevt",
"Worm:win32/mydoom",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Suppobox",
"Networm",
"Mirai",
"#lowfi:siga:trojandownloader:msil/genmaldow",
"Trojanspy:win32/nivdort",
"Mydoom",
"Cve-2023-27350",
"Etpro",
"Backdoor:win32/tofsee",
"Win.trojan.installcore-877",
"Sf:shellcode-au\\ [trj]",
"Union",
"Nircmd",
"Win.ransomware.bitman-9862733-0",
"#hstr:hacktool:win32/remoteshell",
"Fusioncore",
"Worm:win32/autorun.xxy!bit",
"Pegasus rdp module for windows",
"Trojan.agensla/msil",
"Tel:createscheduledtask",
"Virus:dos/nanjing",
"Backdoor:linux/mirai.b",
"Win.malware.qshell-9875653-0"
],
"industries": [
"Media",
"Government",
"Education",
"Telecommunications",
"Legal",
"Technology",
"Telecom",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Civilians",
"Civil",
"Healthcare",
"People"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69e4e7cfdc3bb3cdffeecf7c",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:51.385000",
"created": "2026-04-19T14:33:51.385000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e4e7c6ddf646eb4e645bd5",
"name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]",
"description": "",
"modified": "2026-04-19T14:33:42.400000",
"created": "2026-04-19T14:33:42.400000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"communicating",
"siblings",
"file",
"hell",
"lenovo tablet",
"name servers",
"as714 apple",
"united",
"creation date",
"search",
"servers",
"date",
"moved",
"certificate",
"passive dns",
"body",
"historical",
"collections",
"contacted",
"strange",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"blacklist http",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"malicious site",
"malware site",
"phishing site",
"million",
"malware",
"http attacker",
"ip address",
"algorithm",
"v3 serial",
"number",
"ist ca",
"g1 validity",
"public key",
"info",
"key algorithm",
"ec oid",
"key identifier",
"first",
"team alexa",
"downloader",
"wed apr",
"alexa",
"pony",
"name verdict",
"pattern match",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"misc attack",
"script",
"beginstring",
"mitre att",
"null",
"unknown",
"span",
"error",
"class",
"generator",
"critical",
"meta",
"hybrid",
"general",
"local",
"click",
"strings",
"refresh",
"tools",
"malicious url",
"hostname",
"hostnames",
"phishing",
"union",
"team",
"bank",
"unsafe",
"spammer",
"node tcp",
"traffic",
"attacker",
"tor known",
"tor relayrouter",
"jul jan",
"mon sep",
"heur",
"artemis",
"iframe",
"conduit",
"crack",
"riskware",
"opencandy",
"cleaner",
"exploit",
"downldr",
"presenoker",
"wacatac",
"agent",
"fusioncore",
"applicunwnt",
"acint",
"nircmd",
"swrort",
"systweak",
"behav",
"tiggre",
"genkryptik",
"filetour",
"generic",
"patcher",
"driverpack",
"xtrat",
"softcnapp",
"cyber threat",
"dns server",
"http spammer",
"host",
"download",
"asyncrat",
"cobalt strike",
"apple",
"urls http",
"368600",
"320700",
"dc1542721039132",
"subdomains",
"noname057",
"tld count",
"urls",
"blacklist https",
"engineering",
"singapore",
"phishtank",
"suppobox",
"bambernek",
"facebook",
"zbot",
"malicious",
"zeus",
"emotet",
"ransomware",
"nymaim",
"redline stealer",
"service",
"virut",
"kraken",
"keybase",
"stealer",
"hawkeye",
"tinba",
"mirai",
"nanocore",
"bradesco",
"cve201711882",
"ip detections",
"country",
"83500",
"1602192580242",
"1602192586217",
"blog",
"1602192588844",
"1602192624796",
"303300",
"vhash",
"authentihash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"intel",
"trid windows",
"control panel",
"file version",
"copyright",
"product",
"description",
"original name",
"internal name",
"rticon neutral",
"chi2",
"contained",
"details module",
"version id",
"typelib id",
"header target",
"machine intel",
"utc entry",
"point",
"count blacklist",
"tag tag",
"dot net",
"assembly common",
"clr version",
"assembly name",
"address",
"assembly",
"rva entry",
"streams size",
"entropy chi2",
"guid",
"applenoc",
"showing",
"record value",
"scan endpoints",
"all search",
"as20940",
"as16625 akamai",
"status",
"cname",
"china",
"as136907 huawei",
"nanjing",
"as2914 ntt",
"america",
"as7843 charter",
"as6461 zayo",
"domain",
"p155-fmfmobile.icloud.com",
"t-mobile",
"metro t-mobile",
"metro",
"metroby",
"social engineering",
"happywifehappylife",
"bot",
"darknet service",
"tsara brashears",
"jeffrey reimer",
"pixelrz",
"yandex",
"cp",
"cyber",
"red team",
"framing",
"qwest",
"cybercrime",
"cyber threat",
"sha256",
"runtime process",
"sha1",
"size",
"windows nt",
"indicator",
"svg scalable",
"accept",
"unis",
"buttons",
"overwrite",
"format",
"spyware",
"heodo",
"fri nov",
"installcore",
"installpack",
"win64",
"fakealert",
"dropper",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"dapato",
"networm",
"mediaget",
"softonic",
"trojan",
"encpk",
"qbot",
"predator",
"kraddare",
"iobit",
"dllinject",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"keygen",
"fareit",
"secrisk",
"unruy",
"floxif",
"adload",
"et cins",
"active threat",
"reputation ip",
"threats et",
"cins active",
"poor reputation",
"ip tcp",
"privacy admin",
"privacy tech",
"com laude",
"redacted for",
"server",
"priority",
"email",
"organization",
"city",
"cnapple public",
"server rsa",
"stcalifornia",
"cnapple ist",
"identity search",
"group",
"issuer criteria",
"type",
"ilike search",
"id logged",
"valid",
"no no",
"no na",
"ip security",
"apple",
"limited",
"ca id",
"lsalford",
"ocomodo ca",
"code signing",
"mozilla",
"android",
"memory checks",
"dotnet_encrypted",
"multi family rat detection",
"malware_win_zgrat"
],
"references": [
"Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7",
"p155-fmfmobile.icloud.com",
"\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193",
"developer.huawei.com",
"PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]",
"http://www.cscglobal.com/global/web/csc/digital-brand-services.html",
"Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45",
"fmfmobile.fe.apple-dns.net",
"http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/",
"http://notredamewormhoutnet.appleid.com/",
"news-publisher.pictures",
"applestore.net",
"airinthemorning.net",
"http://certs.apple.com/appleistca2g1_bc.cer",
"http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)",
"https://dc-mx.d3525d602ca2.pixelrz.com",
"http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c",
"http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)",
"http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)",
"http://pixelrz.com/lists/suggestions/rs485-arduino/",
"http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)",
"http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)",
"http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com",
"Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84",
"Resource: https://crt.sh/?q=privaterelay.appleid.com",
"\u2193Command and Control \u2193",
"CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36",
"CNC Hostname: urlspirit.spiritsoft.cn",
"Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16",
"Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com",
"Resource: https://urlscan.io/domain/privaterelay.appleid.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Systweak",
"display_name": "Systweak",
"target": null
},
{
"id": "Swrort",
"display_name": "Swrort",
"target": null
},
{
"id": "Tinba",
"display_name": "Tinba",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "FusionCore",
"display_name": "FusionCore",
"target": null
},
{
"id": "Redline",
"display_name": "Redline",
"target": null
},
{
"id": "Virus:DOS/Nanjing",
"display_name": "Virus:DOS/Nanjing",
"target": "/malware/Virus:DOS/Nanjing"
},
{
"id": "nircmd",
"display_name": "nircmd",
"target": null
},
{
"id": "noname057",
"display_name": "noname057",
"target": null
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Softcnapp",
"display_name": "Softcnapp",
"target": null
},
{
"id": "Union",
"display_name": "Union",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "Kraddare",
"display_name": "Kraddare",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "trojan.agensla/msil",
"display_name": "trojan.agensla/msil",
"target": null
},
{
"id": "Win:ZGRAT",
"display_name": "Win:ZGRAT",
"target": null
},
{
"id": "Wacatac.",
"display_name": "Wacatac.",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "656a971ab44409ecb7018428",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1220,
"FileHash-SHA1": 613,
"FileHash-SHA256": 5010,
"URL": 13617,
"hostname": 3699,
"domain": 2783,
"email": 11,
"CVE": 23,
"CIDR": 2
},
"indicator_count": 26978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc70fcbd3f613502e1f7",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T09:28:38.049000",
"created": "2026-04-17T06:00:16.867000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 442,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24911,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc6fd3c4022e08db781d",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T06:51:33.372000",
"created": "2026-04-17T06:00:15.760000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 441,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6992bae83a5988dff8311490",
"name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
"description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
"modified": "2026-04-13T23:46:20.071000",
"created": "2026-02-16T06:36:24.788000",
"tags": [
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
"MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"#PotentialUS-Origin_FalseFlag_Obfuscation"
],
"references": [
"Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
"Obfuscation: XOR-based String Encryption (0x20)",
"T1110.001 (Brute Force: Password Guessing)",
"This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
"Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
"Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
"his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
"The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
"By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
"The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
"",
"The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
"By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
"The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
"LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
"LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
"LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
"Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
"Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
"Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
"Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
"Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
"WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
],
"public": 1,
"adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
"targeted_countries": [],
"malware_families": [
{
"id": "Malware Family: StealthWorker / GoBrut",
"display_name": "Malware Family: StealthWorker / GoBrut",
"target": "/malware/Malware Family: StealthWorker / GoBrut"
},
{
"id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
"target": null
}
],
"attack_ids": [
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2166,
"FileHash-SHA1": 2067,
"FileHash-SHA256": 3371,
"domain": 13295,
"URL": 6860,
"email": 272,
"hostname": 4705,
"SSLCertFingerprint": 268,
"CVE": 107,
"CIDR": 6
},
"indicator_count": 33117,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 62,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b1fe81a036fb6a5d7fe16c",
"name": "VirusTotal report\n for executable.exe",
"description": "",
"modified": "2026-04-10T23:06:53.889000",
"created": "2026-03-11T23:45:05.153000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1,
"URL": 14,
"hostname": 7,
"domain": 4
},
"indicator_count": 28,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b0f7ac95dc7083708d2091",
"name": "ALBERTA clone arek- btc - same virus.",
"description": "",
"modified": "2026-04-10T05:02:49.470000",
"created": "2026-03-11T05:03:40.599000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "68346e8e3280aa271c02ec21",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 100,
"FileHash-MD5": 178,
"FileHash-SHA1": 178,
"FileHash-SHA256": 1009,
"domain": 129,
"hostname": 321,
"email": 3
},
"indicator_count": 1918,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69aa2bd7c559bc6374229dd5",
"name": "https://app.zencoder.com",
"description": "phishing and medium.com iocs",
"modified": "2026-04-05T01:24:33.524000",
"created": "2026-03-06T01:20:23.852000",
"tags": [
"present mar",
"as13335",
"united",
"aaaa",
"whitelisted",
"a domains",
"status",
"certificate",
"date",
"entries",
"body",
"title",
"html document",
"unicode text",
"utf8 text",
"language"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 133,
"FileHash-MD5": 53,
"FileHash-SHA1": 52,
"FileHash-SHA256": 51,
"domain": 115,
"email": 2,
"hostname": 108
},
"indicator_count": 514,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a8fff72a02303057d559c9",
"name": "http://paragonparkbook.wordpress.com/",
"description": "another Ma expired cert and unsigned dnssec. Creation Date\t2000-03-03T04:13:23\nDnssec\tunsigned\nDomain Name\tWORDPRESS.COM\nDomain Name\twordpress.com\nEmails\tdomains@automattic.com.80 Title\t301 Moved Permanently\n80 Body\thtml head title 301 Moved Permanently /title /head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html\n80 Header\tHTTP/1.1 301 Moved Permanently Server: nginx Date: Thu 05 Mar 2026 03:55:19 GMT Content Type: text/html Content Length: 162 Connection: keep alive Location: https://paragonparkbook.wordpress.com/ Alt Svc: h3= :443 ma=86400 Server Timing: a8c cdn dc desc=sea cache desc=BYPASS dur=0.0\n443 Title\tThe History of Paragon Park When Summer Meant Everything: The Enduring Legacy of Paragon Park\n443 A Domains\tparagonparkbook.wordpress.com",
"modified": "2026-04-04T05:18:12.440000",
"created": "2026-03-05T04:00:55.226000",
"tags": [
"certificate",
"value",
"a domains",
"found a",
"server",
"gmt content",
"length",
"header http2",
"arizona",
"scottsdale"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 138,
"domain": 377,
"URL": 117,
"hostname": 95,
"FileHash-MD5": 144,
"email": 3,
"FileHash-SHA256": 1162
},
"indicator_count": 2036,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "intel.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "intel.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776615665.010582
}