{ "type": "Domain", "indicator": "jayadoni.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/jayadoni.com", "alexa": "http://www.alexa.com/siteinfo/jayadoni.com", "indicator": "jayadoni.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2868970233, "indicator": "jayadoni.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "68d0f099f60e98e6c4ffc1e5", "name": "Elaborate Medical Insurance Scheme | Claims Reversal", "description": "Boring? Maybe but, victim of crime became a target of an elaborate , phishing, social engineering , hacking, theft, reputation, stalking, & physical assault scheme. A man using name Brian Sabey , Esq continues an international porn campaign. Today I\u2019m shocked by his false Medicare insurance scam denying targets claims & treatment since 2017. This information was retrieved by me via research due to unpaid medical bills Team 8 has uncovered multiple large scale breaches with information mailed , texted or sent to targets. \n We are all researchers with a combined 30 years of award winning researchers focuses in various areas. We are doing this unpaid , considering the circumstances. We are not related to the victim. \n\nAll claims of any abuses have been substantiated claims.\n\n#trulymissed #rip #briansabey #hallrender #jeffreyscottreimer #formbook_cnc #panda_cnc_checkin #claimreversalscam", "modified": "2025-10-22T05:00:52.085000", "created": "2025-09-22T06:45:45.714000", "tags": [ "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "date", "encrypt", "united", "backdoor", "entries", "passive dns", "hstr", "checkin", "next associated", "lowfi", "trojan", "ipv4 add", "twitter", "trojandropper", "ransom", "body", "url https", "type indicator", "role title", "added active", "related pulses", "url http", "ck ids", "t1036", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "yara", "report spam", "otx generated", "created", "hours ago", "otx auto", "new york", "tsara brashears", "search", "filehashsha1", "filehashmd5", "domain", "hostname", "virgin islands", "canada", "ireland", "pes of", "expiration", "hall render", "possible deep", "https", "panda", "post", "insane", "law firm", "virtool", "service", "iocs", "learn more", "et trojan", "msie", "windows nt", "show", "unknown", "france as16276", "united kingdom", "possible", "write", "win32", "malware", "copy", "next", "et", "returnurl" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Italy", "Aruba", "Germany", "Ireland", "Spain", "Poland", "Canada", "T\u00fcrkiye", "Romania", "Sweden", "Australia", "Singapore", "Denmark" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2905, "URL": 5029, "hostname": 1146, "FileHash-SHA256": 935, "FileHash-MD5": 102, "FileHash-SHA1": 100, "email": 3 }, "indicator_count": 10220, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "768 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a536d6ca1f8cf73b0a0c", "name": "Content Reputation Revenge", "description": "", "modified": "2023-12-06T16:45:42.567000", "created": "2023-12-06T16:45:42.567000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 389, "domain": 629, "URL": 1103, "hostname": 371, "FileHash-MD5": 512, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a53297598bac143dc90c", "name": "Malvertizing", "description": "", "modified": "2023-12-06T16:45:38.747000", "created": "2023-12-06T16:45:38.747000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 389, "domain": 629, "URL": 1103, "hostname": 371, "FileHash-MD5": 512, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a52d46c621212ee24542", "name": "Malvertizing: Exponential Adult Contact Revenge Porn & Vulnerabilities", "description": "", "modified": "2023-12-06T16:45:32.953000", "created": "2023-12-06T16:45:32.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 389, "domain": 629, "URL": 1103, "hostname": 371, "FileHash-MD5": 512, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570800373899fd03e2e49db", "name": "Democrats.org", "description": "", "modified": "2023-12-06T14:06:59.250000", "created": "2023-12-06T14:06:59.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3114, "domain": 3501, "hostname": 3860, "URL": 17938, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507d445eaddea2b39611065", "name": "Malvertizing: Exponential Adult Contact Revenge Porn & Vulnerabilities", "description": "BrownTube.com/Target?\nToday: Blacklisted & Whitelisted domain. All malware is correct and verified and by now historical. Evader, detects all AI and intrusion. Packed! Farr more vulnerabilities than necessary to list. Research shows this attack on a targeted individuals dates back years. There is evidence of a browser malware that would direct targeted person's directly to site where device is brutally infected. Based on online research target may have been a victim of crime. Even if that weren't the case, this is definitely criminal and intentional.\nThere is underage content advertised. Web and Hidden CAMS accessed.\nVerdict: Revenge Porn\nTarget country clarifier: Origin of campaign US. It is advertised in Russia via Bing aka Yandex/Microsoft merge.\nIt's is viewable Anywhere.", "modified": "2023-10-18T02:01:30.938000", "created": "2023-09-18T04:38:29.088000", "tags": [ "pierced pussy", "shemale interracial", "thai lesb", "asia anal", "girl on girl", "happy end", "thai sex", "amateur", "thai porn", "gay amateur", "amateur amateur", "asian big", "teens pov", "big tits", "tsara brashears", "porn thai", "cisco umbrella", "malware", "alexa top", "million", "site", "safe site", "heur", "internet storm", "artemis", "adware", "alexa", "coinminer", "iframe", "riskware", "patcher", "crack", "blacklist", "malware site", "malicious site", "detection list", "phishing", "windows nt", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "blacklist https", "whois record", "resolutions", "referrer", "Suricata", "content reputation", "ALERT: WEB CAMS", "child abuse", "South Carolina Federal Credit Union Phishing", "Phishing.HTML", "js user", "evader", "redirect", "browser malware", "cyber crime", "Abuse", "Yandex", "United States", "Suricata Alert", "From America to Russia" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "EngineBox Malware", "display_name": "EngineBox Malware", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "#Exploit:NtQueryIntervalProfile", "display_name": "#Exploit:NtQueryIntervalProfile", "target": null }, { "id": "HackTool:Win32/IPCCrack", "display_name": "HackTool:Win32/IPCCrack", "target": "/malware/HackTool:Win32/IPCCrack" }, { "id": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "display_name": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "#LowFi:Adware:Win32/Altnet", "display_name": "#LowFi:Adware:Win32/Altnet", "target": null }, { "id": "Phishing.BNR", "display_name": "Phishing.BNR", "target": null }, { "id": "Ameriprise Financial phishing", "display_name": "Ameriprise Financial phishing", "target": null }, { "id": "#Lowfi:HSTR:Win32/DownloadMR", "display_name": "#Lowfi:HSTR:Win32/DownloadMR", "target": null }, { "id": "Malware Download", "display_name": "Malware Download", "target": null }, { "id": "#Lowfi:HSTR:Win32/WidgiToolbar", "display_name": "#Lowfi:HSTR:Win32/WidgiToolbar", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Application.Agent", "display_name": "Application.Agent", "target": null }, { "id": "Backdoor.PHP.WebShell", "display_name": "Backdoor.PHP.WebShell", "target": null }, { "id": "MalwareHiderPatched", "display_name": "MalwareHiderPatched", "target": null }, { "id": "JS.eIframeAcNMe", "display_name": "JS.eIframeAcNMe", "target": null }, { "id": "Pua.Snojan", "display_name": "Pua.Snojan", "target": null }, { "id": "Application.CoinMiner", "display_name": "Application.CoinMiner", "target": null }, { "id": "W32.HfsAdware", "display_name": "W32.HfsAdware", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "Trojan.QUAF", "display_name": "Trojan.QUAF", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Hoax.HTML.Phish", "display_name": "Hoax.HTML.Phish", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Malware.Phish", "display_name": "Malware.Phish", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Trojan.HTML.Generic.4 Phish.82B7", "display_name": "Trojan.HTML.Generic.4 Phish.82B7", "target": null }, { "id": "HTML:PhishingMS", "display_name": "HTML:PhishingMS", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HTML.Generic Phishing.S23", "display_name": "HTML.Generic Phishing.S23", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Adware.Agent", "display_name": "Adware.Agent", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Trojan.Script.Generic", "display_name": "Trojan.Script.Generic", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Trojan.Reconyc ml.Generic", "display_name": "Trojan.Reconyc ml.Generic", "target": null }, { "id": "Ole2.Macro.Agent HTML:PhishingMail", "display_name": "Ole2.Macro.Agent HTML:PhishingMail", "target": null }, { "id": "Gen:Variant.Application.LoadMoney", "display_name": "Gen:Variant.Application.LoadMoney", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "Trojan.Disco", "display_name": "Trojan.Disco", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "PUP.Dstudio.dd", "display_name": "PUP.Dstudio.dd", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Gen:Variant.Application.Bundler.Somoto", "display_name": "Gen:Variant.Application.Bundler.Somoto", "target": null }, { "id": "Phishing.DOC", "display_name": "Phishing.DOC", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Ole2.Macro.Agent", "display_name": "Ole2.Macro.Agent", "target": null }, { "id": "Trojan.Reconyc 1", "display_name": "Trojan.Reconyc 1", "target": null }, { "id": "HTML:PhishingMail", "display_name": "HTML:PhishingMail", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "Gen:Variant.Ser.Bulz", "display_name": "Gen:Variant.Ser.Bulz", "target": null }, { "id": "Phishing.Agent", "display_name": "Phishing.Agent", "target": null }, { "id": "HEUR:Trojan.BAT", "display_name": "HEUR:Trojan.BAT", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "TScope.Malware", "display_name": "TScope.Malware", "target": null }, { "id": "PUA.NSISmod", "display_name": "PUA.NSISmod", "target": null }, { "id": "Trojan.Uztuby", "display_name": "Trojan.Uztuby", "target": null }, { "id": "JS.Phishing", "display_name": "JS.Phishing", "target": null }, { "id": "Win64:Malware", "display_name": "Win64:Malware", "target": null }, { "id": "AGEN.1031860", "display_name": "AGEN.1031860", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "Trojan.Script.Phish", "display_name": "Trojan.Script.Phish", "target": null }, { "id": "HTML:Instagram", "display_name": "HTML:Instagram", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "DriverAgent.A potentially unwanted", "display_name": "DriverAgent.A potentially unwanted", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 512, "domain": 629, "hostname": 371, "URL": 1103, "FileHash-SHA256": 389, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507d4f778c6732784d241c7", "name": "Malvertizing", "description": "", "modified": "2023-10-18T02:01:30.938000", "created": "2023-09-18T04:41:27.225000", "tags": [ "pierced pussy", "shemale interracial", "thai lesb", "asia anal", "girl on girl", "happy end", "thai sex", "amateur", "thai porn", "gay amateur", "amateur amateur", "asian big", "teens pov", "big tits", "tsara brashears", "porn thai", "cisco umbrella", "malware", "alexa top", "million", "site", "safe site", "heur", "internet storm", "artemis", "adware", "alexa", "coinminer", "iframe", "riskware", "patcher", "crack", "blacklist", "malware site", "malicious site", "detection list", "phishing", "windows nt", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "blacklist https", "whois record", "resolutions", "referrer", "Suricata", "content reputation", "ALERT: WEB CAMS", "child abuse", "South Carolina Federal Credit Union Phishing", "Phishing.HTML", "js user", "evader", "redirect", "browser malware", "cyber crime", "Abuse", "Yandex", "United States", "Suricata Alert", "From America to Russia" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "EngineBox Malware", "display_name": "EngineBox Malware", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "#Exploit:NtQueryIntervalProfile", "display_name": "#Exploit:NtQueryIntervalProfile", "target": null }, { "id": "HackTool:Win32/IPCCrack", "display_name": "HackTool:Win32/IPCCrack", "target": "/malware/HackTool:Win32/IPCCrack" }, { "id": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "display_name": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "#LowFi:Adware:Win32/Altnet", "display_name": "#LowFi:Adware:Win32/Altnet", "target": null }, { "id": "Phishing.BNR", "display_name": "Phishing.BNR", "target": null }, { "id": "Ameriprise Financial phishing", "display_name": "Ameriprise Financial phishing", "target": null }, { "id": "#Lowfi:HSTR:Win32/DownloadMR", "display_name": "#Lowfi:HSTR:Win32/DownloadMR", "target": null }, { "id": "Malware Download", "display_name": "Malware Download", "target": null }, { "id": "#Lowfi:HSTR:Win32/WidgiToolbar", "display_name": "#Lowfi:HSTR:Win32/WidgiToolbar", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Application.Agent", "display_name": "Application.Agent", "target": null }, { "id": "Backdoor.PHP.WebShell", "display_name": "Backdoor.PHP.WebShell", "target": null }, { "id": "MalwareHiderPatched", "display_name": "MalwareHiderPatched", "target": null }, { "id": "JS.eIframeAcNMe", "display_name": "JS.eIframeAcNMe", "target": null }, { "id": "Pua.Snojan", "display_name": "Pua.Snojan", "target": null }, { "id": "Application.CoinMiner", "display_name": "Application.CoinMiner", "target": null }, { "id": "W32.HfsAdware", "display_name": "W32.HfsAdware", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "Trojan.QUAF", "display_name": "Trojan.QUAF", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Hoax.HTML.Phish", "display_name": "Hoax.HTML.Phish", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Malware.Phish", "display_name": "Malware.Phish", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Trojan.HTML.Generic.4 Phish.82B7", "display_name": "Trojan.HTML.Generic.4 Phish.82B7", "target": null }, { "id": "HTML:PhishingMS", "display_name": "HTML:PhishingMS", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HTML.Generic Phishing.S23", "display_name": "HTML.Generic Phishing.S23", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Adware.Agent", "display_name": "Adware.Agent", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Trojan.Script.Generic", "display_name": "Trojan.Script.Generic", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Trojan.Reconyc ml.Generic", "display_name": "Trojan.Reconyc ml.Generic", "target": null }, { "id": "Ole2.Macro.Agent HTML:PhishingMail", "display_name": "Ole2.Macro.Agent HTML:PhishingMail", "target": null }, { "id": "Gen:Variant.Application.LoadMoney", "display_name": "Gen:Variant.Application.LoadMoney", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "Trojan.Disco", "display_name": "Trojan.Disco", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "PUP.Dstudio.dd", "display_name": "PUP.Dstudio.dd", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Gen:Variant.Application.Bundler.Somoto", "display_name": "Gen:Variant.Application.Bundler.Somoto", "target": null }, { "id": "Phishing.DOC", "display_name": "Phishing.DOC", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Ole2.Macro.Agent", "display_name": "Ole2.Macro.Agent", "target": null }, { "id": "Trojan.Reconyc 1", "display_name": "Trojan.Reconyc 1", "target": null }, { "id": "HTML:PhishingMail", "display_name": "HTML:PhishingMail", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "Gen:Variant.Ser.Bulz", "display_name": "Gen:Variant.Ser.Bulz", "target": null }, { "id": "Phishing.Agent", "display_name": "Phishing.Agent", "target": null }, { "id": "HEUR:Trojan.BAT", "display_name": "HEUR:Trojan.BAT", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "TScope.Malware", "display_name": "TScope.Malware", "target": null }, { "id": "PUA.NSISmod", "display_name": "PUA.NSISmod", "target": null }, { "id": "Trojan.Uztuby", "display_name": "Trojan.Uztuby", "target": null }, { "id": "JS.Phishing", "display_name": "JS.Phishing", "target": null }, { "id": "Win64:Malware", "display_name": "Win64:Malware", "target": null }, { "id": "AGEN.1031860", "display_name": "AGEN.1031860", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "Trojan.Script.Phish", "display_name": "Trojan.Script.Phish", "target": null }, { "id": "HTML:Instagram", "display_name": "HTML:Instagram", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "DriverAgent.A potentially unwanted", "display_name": "DriverAgent.A potentially unwanted", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": "6507d445eaddea2b39611065", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 512, "domain": 629, "hostname": 371, "URL": 1103, "FileHash-SHA256": 389, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507d50cc5175d4bc3e98bd3", "name": "Content Reputation Revenge ", "description": "", "modified": "2023-10-18T02:01:30.938000", "created": "2023-09-18T04:41:48.350000", "tags": [ "pierced pussy", "shemale interracial", "thai lesb", "asia anal", "girl on girl", "happy end", "thai sex", "amateur", "thai porn", "gay amateur", "amateur amateur", "asian big", "teens pov", "big tits", "tsara brashears", "porn thai", "cisco umbrella", "malware", "alexa top", "million", "site", "safe site", "heur", "internet storm", "artemis", "adware", "alexa", "coinminer", "iframe", "riskware", "patcher", "crack", "blacklist", "malware site", "malicious site", "detection list", "phishing", "windows nt", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "blacklist https", "whois record", "resolutions", "referrer", "Suricata", "content reputation", "ALERT: WEB CAMS", "child abuse", "South Carolina Federal Credit Union Phishing", "Phishing.HTML", "js user", "evader", "redirect", "browser malware", "cyber crime", "Abuse", "Yandex", "United States", "Suricata Alert", "From America to Russia" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "EngineBox Malware", "display_name": "EngineBox Malware", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "#Exploit:NtQueryIntervalProfile", "display_name": "#Exploit:NtQueryIntervalProfile", "target": null }, { "id": "HackTool:Win32/IPCCrack", "display_name": "HackTool:Win32/IPCCrack", "target": "/malware/HackTool:Win32/IPCCrack" }, { "id": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "display_name": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "#LowFi:Adware:Win32/Altnet", "display_name": "#LowFi:Adware:Win32/Altnet", "target": null }, { "id": "Phishing.BNR", "display_name": "Phishing.BNR", "target": null }, { "id": "Ameriprise Financial phishing", "display_name": "Ameriprise Financial phishing", "target": null }, { "id": "#Lowfi:HSTR:Win32/DownloadMR", "display_name": "#Lowfi:HSTR:Win32/DownloadMR", "target": null }, { "id": "Malware Download", "display_name": "Malware Download", "target": null }, { "id": "#Lowfi:HSTR:Win32/WidgiToolbar", "display_name": "#Lowfi:HSTR:Win32/WidgiToolbar", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Application.Agent", "display_name": "Application.Agent", "target": null }, { "id": "Backdoor.PHP.WebShell", "display_name": "Backdoor.PHP.WebShell", "target": null }, { "id": "MalwareHiderPatched", "display_name": "MalwareHiderPatched", "target": null }, { "id": "JS.eIframeAcNMe", "display_name": "JS.eIframeAcNMe", "target": null }, { "id": "Pua.Snojan", "display_name": "Pua.Snojan", "target": null }, { "id": "Application.CoinMiner", "display_name": "Application.CoinMiner", "target": null }, { "id": "W32.HfsAdware", "display_name": "W32.HfsAdware", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "Trojan.QUAF", "display_name": "Trojan.QUAF", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Hoax.HTML.Phish", "display_name": "Hoax.HTML.Phish", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Malware.Phish", "display_name": "Malware.Phish", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Trojan.HTML.Generic.4 Phish.82B7", "display_name": "Trojan.HTML.Generic.4 Phish.82B7", "target": null }, { "id": "HTML:PhishingMS", "display_name": "HTML:PhishingMS", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HTML.Generic Phishing.S23", "display_name": "HTML.Generic Phishing.S23", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Adware.Agent", "display_name": "Adware.Agent", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Trojan.Script.Generic", "display_name": "Trojan.Script.Generic", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Trojan.Reconyc ml.Generic", "display_name": "Trojan.Reconyc ml.Generic", "target": null }, { "id": "Ole2.Macro.Agent HTML:PhishingMail", "display_name": "Ole2.Macro.Agent HTML:PhishingMail", "target": null }, { "id": "Gen:Variant.Application.LoadMoney", "display_name": "Gen:Variant.Application.LoadMoney", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "Trojan.Disco", "display_name": "Trojan.Disco", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "PUP.Dstudio.dd", "display_name": "PUP.Dstudio.dd", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Gen:Variant.Application.Bundler.Somoto", "display_name": "Gen:Variant.Application.Bundler.Somoto", "target": null }, { "id": "Phishing.DOC", "display_name": "Phishing.DOC", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Ole2.Macro.Agent", "display_name": "Ole2.Macro.Agent", "target": null }, { "id": "Trojan.Reconyc 1", "display_name": "Trojan.Reconyc 1", "target": null }, { "id": "HTML:PhishingMail", "display_name": "HTML:PhishingMail", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "Gen:Variant.Ser.Bulz", "display_name": "Gen:Variant.Ser.Bulz", "target": null }, { "id": "Phishing.Agent", "display_name": "Phishing.Agent", "target": null }, { "id": "HEUR:Trojan.BAT", "display_name": "HEUR:Trojan.BAT", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "TScope.Malware", "display_name": "TScope.Malware", "target": null }, { "id": "PUA.NSISmod", "display_name": "PUA.NSISmod", "target": null }, { "id": "Trojan.Uztuby", "display_name": "Trojan.Uztuby", "target": null }, { "id": "JS.Phishing", "display_name": "JS.Phishing", "target": null }, { "id": "Win64:Malware", "display_name": "Win64:Malware", "target": null }, { "id": "AGEN.1031860", "display_name": "AGEN.1031860", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "Trojan.Script.Phish", "display_name": "Trojan.Script.Phish", "target": null }, { "id": "HTML:Instagram", "display_name": "HTML:Instagram", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "DriverAgent.A potentially unwanted", "display_name": "DriverAgent.A potentially unwanted", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": "6507d4f778c6732784d241c7", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 512, "domain": 629, "hostname": 371, "URL": 1103, "FileHash-SHA256": 389, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6220c81aaf6fddde0116569a", "name": "Democrats.org", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T13:52:26.328000", "tags": [ "date", "dns replication" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17938, "hostname": 3860, "domain": 3501, "FileHash-SHA256": 3114, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Win64:malware", "Ole2.macro.agent html:phishingmail", "Ml.attribute", "Trojan.uztuby", "Hacktool:win32/ipccrack", "Backdoor.php.webshell", "Et", "Gen:variant.graftor", "Malicious.35bb6b", "Riskware.crack", "Gen:variant.ursu", "Html.generic phishing.s23", "Zpevdo.b", "Js.phishing", "Trojanspy", "Malware download", "Application.agent", "Adware.agent", "Trojan.disco", "Gen:variant.razy", "Gen:variant.application.bundler.somoto", "#lowfi:hstr:win32/downloadmr", "Tscope.malware", "#exploit:ntqueryintervalprofile", "Malware", "Maltiverse", "Trojan.quaf", "Hoax.js.phish", "#lowfi:hstr:win32/widgitoolbar", "Webtoolbar", "Gen:variant.ser.bulz", "Generic", "Phishing.bnr", "Trojan.script.generic", "Heur.htmlunescape", "Html:instagram", "Phishing.doc", "Scrinject.b", "Gen:nn.zexaf.34090", "Html:phishingms", "Trojan.script.phish", "Private internet access", "Js:trojan.cryxos", "Generic.malware", "Gen:variant.msilperseus", "Pua.snojan", "Unsafe.ai_score_100%", "Pup.dstudio.dd", "Content reputation", "Artemis", "Hoax.deceptpcclean", "Trojan.html.generic.4 phish.82b7", "W32.aidetectvm", "Pua.nsismod", "Malicious.moderate.ml", "Ameriprise financial phishing", "Ole2.macro.agent", "Driveragent.a potentially unwanted", "Hoax.html.phish", "Application.clenonta", "Trojan.reconyc 1", "Js.eiframeacnme", "Ransom.win64.wacatac.oa", "Trojan.reconyc ml.generic", "Vdehu.a", "Malicious.high.ml", "Malwarehiderpatched", "Gen:variant.application.loadmoney", "Enginebox malware", "Html:phishingmail", "#lowfi:adware:win32/altnet", "#lowfihstr:program:win32/coinminer_cgminer_clean", "Heur:trojan.bat", "Application.coinminer", "Trojan.agent", "W32.hfsadware", "Phishing.agent", "Malware.phish", "Agen.1031860" ], "industries": [ "Food", "Healthcare", "Health" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "68d0f099f60e98e6c4ffc1e5", "name": "Elaborate Medical Insurance Scheme | Claims Reversal", "description": "Boring? Maybe but, victim of crime became a target of an elaborate , phishing, social engineering , hacking, theft, reputation, stalking, & physical assault scheme. A man using name Brian Sabey , Esq continues an international porn campaign. Today I\u2019m shocked by his false Medicare insurance scam denying targets claims & treatment since 2017. This information was retrieved by me via research due to unpaid medical bills Team 8 has uncovered multiple large scale breaches with information mailed , texted or sent to targets. \n We are all researchers with a combined 30 years of award winning researchers focuses in various areas. We are doing this unpaid , considering the circumstances. We are not related to the victim. \n\nAll claims of any abuses have been substantiated claims.\n\n#trulymissed #rip #briansabey #hallrender #jeffreyscottreimer #formbook_cnc #panda_cnc_checkin #claimreversalscam", "modified": "2025-10-22T05:00:52.085000", "created": "2025-09-22T06:45:45.714000", "tags": [ "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "date", "encrypt", "united", "backdoor", "entries", "passive dns", "hstr", "checkin", "next associated", "lowfi", "trojan", "ipv4 add", "twitter", "trojandropper", "ransom", "body", "url https", "type indicator", "role title", "added active", "related pulses", "url http", "ck ids", "t1036", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob", "yara", "report spam", "otx generated", "created", "hours ago", "otx auto", "new york", "tsara brashears", "search", "filehashsha1", "filehashmd5", "domain", "hostname", "virgin islands", "canada", "ireland", "pes of", "expiration", "hall render", "possible deep", "https", "panda", "post", "insane", "law firm", "virtool", "service", "iocs", "learn more", "et trojan", "msie", "windows nt", "show", "unknown", "france as16276", "united kingdom", "possible", "write", "win32", "malware", "copy", "next", "et", "returnurl" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Italy", "Aruba", "Germany", "Ireland", "Spain", "Poland", "Canada", "T\u00fcrkiye", "Romania", "Sweden", "Australia", "Singapore", "Denmark" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [ "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2905, "URL": 5029, "hostname": 1146, "FileHash-SHA256": 935, "FileHash-MD5": 102, "FileHash-SHA1": 100, "email": 3 }, "indicator_count": 10220, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "768 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "839 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a536d6ca1f8cf73b0a0c", "name": "Content Reputation Revenge", "description": "", "modified": "2023-12-06T16:45:42.567000", "created": "2023-12-06T16:45:42.567000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 389, "domain": 629, "URL": 1103, "hostname": 371, "FileHash-MD5": 512, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a53297598bac143dc90c", "name": "Malvertizing", "description": "", "modified": "2023-12-06T16:45:38.747000", "created": "2023-12-06T16:45:38.747000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 389, "domain": 629, "URL": 1103, "hostname": 371, "FileHash-MD5": 512, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a52d46c621212ee24542", "name": "Malvertizing: Exponential Adult Contact Revenge Porn & Vulnerabilities", "description": "", "modified": "2023-12-06T16:45:32.953000", "created": "2023-12-06T16:45:32.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 389, "domain": 629, "URL": 1103, "hostname": 371, "FileHash-MD5": 512, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570800373899fd03e2e49db", "name": "Democrats.org", "description": "", "modified": "2023-12-06T14:06:59.250000", "created": "2023-12-06T14:06:59.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3114, "domain": 3501, "hostname": 3860, "URL": 17938, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507d445eaddea2b39611065", "name": "Malvertizing: Exponential Adult Contact Revenge Porn & Vulnerabilities", "description": "BrownTube.com/Target?\nToday: Blacklisted & Whitelisted domain. All malware is correct and verified and by now historical. Evader, detects all AI and intrusion. Packed! Farr more vulnerabilities than necessary to list. Research shows this attack on a targeted individuals dates back years. There is evidence of a browser malware that would direct targeted person's directly to site where device is brutally infected. Based on online research target may have been a victim of crime. Even if that weren't the case, this is definitely criminal and intentional.\nThere is underage content advertised. Web and Hidden CAMS accessed.\nVerdict: Revenge Porn\nTarget country clarifier: Origin of campaign US. It is advertised in Russia via Bing aka Yandex/Microsoft merge.\nIt's is viewable Anywhere.", "modified": "2023-10-18T02:01:30.938000", "created": "2023-09-18T04:38:29.088000", "tags": [ "pierced pussy", "shemale interracial", "thai lesb", "asia anal", "girl on girl", "happy end", "thai sex", "amateur", "thai porn", "gay amateur", "amateur amateur", "asian big", "teens pov", "big tits", "tsara brashears", "porn thai", "cisco umbrella", "malware", "alexa top", "million", "site", "safe site", "heur", "internet storm", "artemis", "adware", "alexa", "coinminer", "iframe", "riskware", "patcher", "crack", "blacklist", "malware site", "malicious site", "detection list", "phishing", "windows nt", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "blacklist https", "whois record", "resolutions", "referrer", "Suricata", "content reputation", "ALERT: WEB CAMS", "child abuse", "South Carolina Federal Credit Union Phishing", "Phishing.HTML", "js user", "evader", "redirect", "browser malware", "cyber crime", "Abuse", "Yandex", "United States", "Suricata Alert", "From America to Russia" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "EngineBox Malware", "display_name": "EngineBox Malware", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "#Exploit:NtQueryIntervalProfile", "display_name": "#Exploit:NtQueryIntervalProfile", "target": null }, { "id": "HackTool:Win32/IPCCrack", "display_name": "HackTool:Win32/IPCCrack", "target": "/malware/HackTool:Win32/IPCCrack" }, { "id": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "display_name": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "#LowFi:Adware:Win32/Altnet", "display_name": "#LowFi:Adware:Win32/Altnet", "target": null }, { "id": "Phishing.BNR", "display_name": "Phishing.BNR", "target": null }, { "id": "Ameriprise Financial phishing", "display_name": "Ameriprise Financial phishing", "target": null }, { "id": "#Lowfi:HSTR:Win32/DownloadMR", "display_name": "#Lowfi:HSTR:Win32/DownloadMR", "target": null }, { "id": "Malware Download", "display_name": "Malware Download", "target": null }, { "id": "#Lowfi:HSTR:Win32/WidgiToolbar", "display_name": "#Lowfi:HSTR:Win32/WidgiToolbar", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Application.Agent", "display_name": "Application.Agent", "target": null }, { "id": "Backdoor.PHP.WebShell", "display_name": "Backdoor.PHP.WebShell", "target": null }, { "id": "MalwareHiderPatched", "display_name": "MalwareHiderPatched", "target": null }, { "id": "JS.eIframeAcNMe", "display_name": "JS.eIframeAcNMe", "target": null }, { "id": "Pua.Snojan", "display_name": "Pua.Snojan", "target": null }, { "id": "Application.CoinMiner", "display_name": "Application.CoinMiner", "target": null }, { "id": "W32.HfsAdware", "display_name": "W32.HfsAdware", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "Trojan.QUAF", "display_name": "Trojan.QUAF", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Hoax.HTML.Phish", "display_name": "Hoax.HTML.Phish", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Malware.Phish", "display_name": "Malware.Phish", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Trojan.HTML.Generic.4 Phish.82B7", "display_name": "Trojan.HTML.Generic.4 Phish.82B7", "target": null }, { "id": "HTML:PhishingMS", "display_name": "HTML:PhishingMS", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HTML.Generic Phishing.S23", "display_name": "HTML.Generic Phishing.S23", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Adware.Agent", "display_name": "Adware.Agent", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Trojan.Script.Generic", "display_name": "Trojan.Script.Generic", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Trojan.Reconyc ml.Generic", "display_name": "Trojan.Reconyc ml.Generic", "target": null }, { "id": "Ole2.Macro.Agent HTML:PhishingMail", "display_name": "Ole2.Macro.Agent HTML:PhishingMail", "target": null }, { "id": "Gen:Variant.Application.LoadMoney", "display_name": "Gen:Variant.Application.LoadMoney", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "Trojan.Disco", "display_name": "Trojan.Disco", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "PUP.Dstudio.dd", "display_name": "PUP.Dstudio.dd", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Gen:Variant.Application.Bundler.Somoto", "display_name": "Gen:Variant.Application.Bundler.Somoto", "target": null }, { "id": "Phishing.DOC", "display_name": "Phishing.DOC", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Ole2.Macro.Agent", "display_name": "Ole2.Macro.Agent", "target": null }, { "id": "Trojan.Reconyc 1", "display_name": "Trojan.Reconyc 1", "target": null }, { "id": "HTML:PhishingMail", "display_name": "HTML:PhishingMail", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "Gen:Variant.Ser.Bulz", "display_name": "Gen:Variant.Ser.Bulz", "target": null }, { "id": "Phishing.Agent", "display_name": "Phishing.Agent", "target": null }, { "id": "HEUR:Trojan.BAT", "display_name": "HEUR:Trojan.BAT", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "TScope.Malware", "display_name": "TScope.Malware", "target": null }, { "id": "PUA.NSISmod", "display_name": "PUA.NSISmod", "target": null }, { "id": "Trojan.Uztuby", "display_name": "Trojan.Uztuby", "target": null }, { "id": "JS.Phishing", "display_name": "JS.Phishing", "target": null }, { "id": "Win64:Malware", "display_name": "Win64:Malware", "target": null }, { "id": "AGEN.1031860", "display_name": "AGEN.1031860", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "Trojan.Script.Phish", "display_name": "Trojan.Script.Phish", "target": null }, { "id": "HTML:Instagram", "display_name": "HTML:Instagram", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "DriverAgent.A potentially unwanted", "display_name": "DriverAgent.A potentially unwanted", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 512, "domain": 629, "hostname": 371, "URL": 1103, "FileHash-SHA256": 389, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507d4f778c6732784d241c7", "name": "Malvertizing", "description": "", "modified": "2023-10-18T02:01:30.938000", "created": "2023-09-18T04:41:27.225000", "tags": [ "pierced pussy", "shemale interracial", "thai lesb", "asia anal", "girl on girl", "happy end", "thai sex", "amateur", "thai porn", "gay amateur", "amateur amateur", "asian big", "teens pov", "big tits", "tsara brashears", "porn thai", "cisco umbrella", "malware", "alexa top", "million", "site", "safe site", "heur", "internet storm", "artemis", "adware", "alexa", "coinminer", "iframe", "riskware", "patcher", "crack", "blacklist", "malware site", "malicious site", "detection list", "phishing", "windows nt", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "blacklist https", "whois record", "resolutions", "referrer", "Suricata", "content reputation", "ALERT: WEB CAMS", "child abuse", "South Carolina Federal Credit Union Phishing", "Phishing.HTML", "js user", "evader", "redirect", "browser malware", "cyber crime", "Abuse", "Yandex", "United States", "Suricata Alert", "From America to Russia" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "EngineBox Malware", "display_name": "EngineBox Malware", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "#Exploit:NtQueryIntervalProfile", "display_name": "#Exploit:NtQueryIntervalProfile", "target": null }, { "id": "HackTool:Win32/IPCCrack", "display_name": "HackTool:Win32/IPCCrack", "target": "/malware/HackTool:Win32/IPCCrack" }, { "id": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "display_name": "#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "#LowFi:Adware:Win32/Altnet", "display_name": "#LowFi:Adware:Win32/Altnet", "target": null }, { "id": "Phishing.BNR", "display_name": "Phishing.BNR", "target": null }, { "id": "Ameriprise Financial phishing", "display_name": "Ameriprise Financial phishing", "target": null }, { "id": "#Lowfi:HSTR:Win32/DownloadMR", "display_name": "#Lowfi:HSTR:Win32/DownloadMR", "target": null }, { "id": "Malware Download", "display_name": "Malware Download", "target": null }, { "id": "#Lowfi:HSTR:Win32/WidgiToolbar", "display_name": "#Lowfi:HSTR:Win32/WidgiToolbar", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Application.Agent", "display_name": "Application.Agent", "target": null }, { "id": "Backdoor.PHP.WebShell", "display_name": "Backdoor.PHP.WebShell", "target": null }, { "id": "MalwareHiderPatched", "display_name": "MalwareHiderPatched", "target": null }, { "id": "JS.eIframeAcNMe", "display_name": "JS.eIframeAcNMe", "target": null }, { "id": "Pua.Snojan", "display_name": "Pua.Snojan", "target": null }, { "id": "Application.CoinMiner", "display_name": "Application.CoinMiner", "target": null }, { "id": "W32.HfsAdware", "display_name": "W32.HfsAdware", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "Trojan.QUAF", "display_name": "Trojan.QUAF", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Hoax.HTML.Phish", "display_name": "Hoax.HTML.Phish", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Malware.Phish", "display_name": "Malware.Phish", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Trojan.HTML.Generic.4 Phish.82B7", "display_name": "Trojan.HTML.Generic.4 Phish.82B7", "target": null }, { "id": "HTML:PhishingMS", "display_name": "HTML:PhishingMS", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HTML.Generic Phishing.S23", "display_name": "HTML.Generic Phishing.S23", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Adware.Agent", "display_name": "Adware.Agent", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Trojan.Script.Generic", "display_name": "Trojan.Script.Generic", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Trojan.Reconyc ml.Generic", "display_name": "Trojan.Reconyc ml.Generic", "target": null }, { "id": "Ole2.Macro.Agent HTML:PhishingMail", "display_name": "Ole2.Macro.Agent HTML:PhishingMail", "target": null }, { "id": "Gen:Variant.Application.LoadMoney", "display_name": "Gen:Variant.Application.LoadMoney", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "Trojan.Disco", "display_name": "Trojan.Disco", "target": null }, { "id": "Heur.HTMLUnescape", "display_name": "Heur.HTMLUnescape", "target": null }, { "id": "PUP.Dstudio.dd", "display_name": "PUP.Dstudio.dd", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Gen:Variant.Application.Bundler.Somoto", "display_name": "Gen:Variant.Application.Bundler.Somoto", "target": null }, { "id": "Phishing.DOC", "display_name": "Phishing.DOC", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Ole2.Macro.Agent", "display_name": "Ole2.Macro.Agent", "target": null }, { "id": "Trojan.Reconyc 1", "display_name": "Trojan.Reconyc 1", "target": null }, { "id": "HTML:PhishingMail", "display_name": "HTML:PhishingMail", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "Gen:Variant.Ser.Bulz", "display_name": "Gen:Variant.Ser.Bulz", "target": null }, { "id": "Phishing.Agent", "display_name": "Phishing.Agent", "target": null }, { "id": "HEUR:Trojan.BAT", "display_name": "HEUR:Trojan.BAT", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "TScope.Malware", "display_name": "TScope.Malware", "target": null }, { "id": "PUA.NSISmod", "display_name": "PUA.NSISmod", "target": null }, { "id": "Trojan.Uztuby", "display_name": "Trojan.Uztuby", "target": null }, { "id": "JS.Phishing", "display_name": "JS.Phishing", "target": null }, { "id": "Win64:Malware", "display_name": "Win64:Malware", "target": null }, { "id": "AGEN.1031860", "display_name": "AGEN.1031860", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "Trojan.Script.Phish", "display_name": "Trojan.Script.Phish", "target": null }, { "id": "HTML:Instagram", "display_name": "HTML:Instagram", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Application.Clenonta", "display_name": "Application.Clenonta", "target": null }, { "id": "DriverAgent.A potentially unwanted", "display_name": "DriverAgent.A potentially unwanted", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": "6507d445eaddea2b39611065", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 512, "domain": 629, "hostname": 371, "URL": 1103, "FileHash-SHA256": 389, "FileHash-SHA1": 117, "URI": 6, "FilePath": 1 }, "indicator_count": 3129, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "jayadoni.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "jayadoni.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776718168.604391 }