{
  "type": "Domain",
  "indicator": "juno.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/juno.com",
    "alexa": "http://www.alexa.com/siteinfo/juno.com",
    "indicator": "juno.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "majestic",
        "message": "Whitelisted domain juno.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain juno.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 982271875,
      "indicator": "juno.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 30,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "22 hours ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f2dc7e076cbfe2d0f7eb90",
          "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
          "description": "",
          "modified": "2026-05-30T00:28:12.957000",
          "created": "2026-04-30T04:37:18.870000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66fc29a49b5ac693c8d75122",
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3851,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3330,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31781,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d6c7fec016b76d49ed95ae",
          "name": "VirusTotal report\n                    for index.html",
          "description": "shatter",
          "modified": "2026-05-08T22:06:56.603000",
          "created": "2026-04-08T21:26:22.351000",
          "tags": [
            "performs dns",
            "united",
            "https",
            "found",
            "tls version",
            "mitre attack",
            "network info",
            "processes extra",
            "urls",
            "t1055 process",
            "phishing",
            "next",
            "script",
            "doctype html",
            "variablece2034",
            "head"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
            "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 442,
            "FileHash-MD5": 245,
            "FileHash-SHA1": 201,
            "FileHash-SHA256": 573,
            "URL": 570,
            "hostname": 1058,
            "email": 3,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 3094,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "22 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f2dc7db0bb5c5cdaec5a6c",
          "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
          "description": "",
          "modified": "2026-04-30T04:53:09.713000",
          "created": "2026-04-30T04:37:17.546000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66fc29a49b5ac693c8d75122",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3851,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3330,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31781,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "31 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b76c9a490b69b6a085b3",
          "name": "Exodus/cellbrite clone by Q Vashti",
          "description": "",
          "modified": "2026-03-12T12:54:04.160000",
          "created": "2026-03-12T12:54:04.160000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6916e098df39114161354b23",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4295,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3255,
            "domain": 2911,
            "hostname": 2894,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13986,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 65,
          "modified_text": "79 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a5c36b78ed73550bb0bf22",
          "name": "by Disable_Duck",
          "description": "",
          "modified": "2026-03-04T23:37:24.208000",
          "created": "2026-03-02T17:05:47.288000",
          "tags": [
            "kgs0",
            "kls0",
            "botname http",
            "entity",
            "UAlberta",
            "Telus",
            "Norton",
            "ffss",
            "Alberta",
            "AlbertaNDP",
            "InteriorHealth",
            "RCMP",
            "CrimeStoppersAB",
            "EdmontonPolice",
            "RCMP Kelowna",
            "RCMP AB",
            "TLS/SSL Crawler",
            "CVE-2026-24061 Attempt",
            "Generic IoT Default Password Attempt",
            "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
            "Dahua Backdoor Attempt",
            "ENV Crawler",
            "DCERPC Protocol",
            "Carries HTTP Referer",
            "GNU Inetutils Telnetd Auth Bypass",
            "ICMPv4 Protocol"
          ],
          "references": [
            "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
            "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
            "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Netherlands",
            "Panama",
            "Poland",
            "United Kingdom of Great Britain and Northern Ireland",
            "Slovakia",
            "Aruba",
            "Anguilla",
            "Australia",
            "Costa Rica",
            "Guatemala",
            "Mexico",
            "Trinidad and Tobago",
            "Cura\u00e7ao",
            "Philippines",
            "Virgin Islands, U.S.",
            "Ukraine",
            "Barbados",
            "Germany",
            "Sint Maarten (Dutch part)",
            "Argentina",
            "Switzerland"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government",
            "Technology",
            "Energy",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": "6901363c4ce422f5caf0f72c",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 3903,
            "FileHash-SHA1": 4967,
            "FileHash-SHA256": 12884,
            "URL": 996,
            "domain": 987,
            "hostname": 3306,
            "email": 4,
            "CVE": 1
          },
          "indicator_count": 27048,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "87 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6901363c4ce422f5caf0f72c",
          "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
          "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
          "modified": "2026-02-18T05:00:41.494000",
          "created": "2025-10-28T21:31:40.008000",
          "tags": [
            "kgs0",
            "kls0",
            "botname http",
            "entity",
            "UAlberta",
            "Telus",
            "Norton",
            "ffss",
            "Alberta",
            "AlbertaNDP",
            "InteriorHealth",
            "RCMP",
            "CrimeStoppersAB",
            "EdmontonPolice",
            "RCMP Kelowna",
            "RCMP AB"
          ],
          "references": [
            "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
            "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Netherlands",
            "Panama",
            "Poland",
            "United Kingdom of Great Britain and Northern Ireland",
            "Slovakia",
            "Aruba",
            "Anguilla",
            "Australia",
            "Costa Rica",
            "Guatemala",
            "Mexico",
            "Trinidad and Tobago",
            "Cura\u00e7ao",
            "Philippines",
            "Virgin Islands, U.S.",
            "Ukraine",
            "Barbados",
            "Germany",
            "Sint Maarten (Dutch part)"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government",
            "Technology",
            "Energy",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 3903,
            "FileHash-SHA1": 4967,
            "FileHash-SHA256": 12884,
            "URL": 995,
            "domain": 984,
            "hostname": 3305,
            "email": 4
          },
          "indicator_count": 27042,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 129,
          "modified_text": "102 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "695c8007f67e8b9a6bb276c5",
          "name": "export_USERS 1-14000 / 157705",
          "description": "UAlberta Azure/Entra (partial)\nRelated to Pulse 'Ghosts' [ loads into system files ]",
          "modified": "2026-02-05T03:05:05.683000",
          "created": "2026-01-06T03:22:47.101000",
          "tags": [
            "true",
            "member",
            "guest",
            "invitation",
            "emailverified",
            "notadult",
            "zhang",
            "nguyen",
            "smith",
            "andison",
            "wang",
            "yang",
            "king",
            "pandit",
            "martin",
            "hong",
            "murray",
            "davis",
            "perez",
            "kremp",
            "walker",
            "rush",
            "ding",
            "cheng",
            "jarvis",
            "casey",
            "blank",
            "jason",
            "hope",
            "shang",
            "lambert",
            "hare",
            "hustler",
            "nichols",
            "james",
            "wong",
            "patel",
            "grewal",
            "rana",
            "jaber",
            "david",
            "hawkshaw",
            "jackson",
            "hunter",
            "horn",
            "modi",
            "baixue",
            "chen",
            "reid",
            "mendoza",
            "bone",
            "dada",
            "stepan",
            "fisher",
            "roma",
            "barry",
            "moran",
            "goodwin",
            "tack",
            "baran",
            "donald",
            "pedro",
            "green",
            "dennis",
            "stop",
            "kaneria",
            "duke",
            "goli",
            "bach",
            "hwang",
            "hill",
            "mark",
            "victor",
            "pino",
            "little",
            "misa",
            "gloria",
            "mesina",
            "matta",
            "shen",
            "splinter",
            "sohana",
            "alex",
            "jean",
            "madro",
            "coco",
            "zhao",
            "support",
            "lynda",
            "daniel",
            "info",
            "brick",
            "wagner",
            "stark",
            "starr",
            "dorn",
            "repka",
            "heck",
            "park",
            "tang",
            "multiple1162021",
            "alexander",
            "gibbon",
            "calgary",
            "matthew",
            "bian",
            "shah",
            "johnson",
            "delfs",
            "morrison",
            "flood",
            "black",
            "valencia",
            "bredo",
            "singh",
            "chan",
            "ahmed",
            "salm",
            "faisal",
            "agena",
            "bella",
            "crow",
            "yurkiw",
            "xgygy0094",
            "huang",
            "trinity",
            "aris",
            "alisa",
            "cardinal",
            "wolf",
            "corona",
            "abbas",
            "rasim",
            "asher",
            "motil",
            "xena",
            "hammer",
            "hack",
            "chin",
            "odysseus",
            "otto",
            "jain",
            "joshi",
            "hole",
            "daum",
            "stack",
            "murphy",
            "leon",
            "meadwell",
            "owumi",
            "royce",
            "luna",
            "eddie",
            "stone",
            "stang",
            "code",
            "paradis",
            "zhen",
            "sood",
            "pepper",
            "mill",
            "cassidy",
            "blade",
            "minimo",
            "sweet",
            "toal"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 5,
            "domain": 243,
            "email": 14365,
            "hostname": 104
          },
          "indicator_count": 14717,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 130,
          "modified_text": "115 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6952febb1dbcf05ee601f050",
          "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)",
          "description": "",
          "modified": "2025-12-29T22:20:43.238000",
          "created": "2025-12-29T22:20:43.238000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65b80a20bbcd0eb305a740ec",
          "export_count": 40582,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "152 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68f5d903f30204d7740b4674",
          "name": "FFSS - Impacts of University Leadership (U of A) on Global EDU & Healthcare - 11.26.25",
          "description": "FFSS - Impacts of University Leadership (U of A) on Global EDU & Healthcare\nA missing piece of the puzzle. Redacted PII/PHI. \nRedacted specific users, but contains a list of URLs, IPs, and domains",
          "modified": "2025-12-26T19:00:31.552000",
          "created": "2025-10-20T06:38:59.827000",
          "tags": [
            "lgxzvz0r",
            "entity",
            "please",
            "javascript",
            "Education",
            "Technology",
            "University",
            "Healthcare"
          ],
          "references": [
            "https://www.virustotal.com/graph/embed/gdeb33b2284ec47739ae15daaf7a0ade8669439cc0f81433d9540e26c7831debc?theme=dark",
            "https://www.virustotal.com/gui/collection/0d117c1338ea8314404a1bfecd2e96a4b0d48dce795cbe57d702db3eb35998e1/iocs",
            "https://www.virustotal.com/graph/embed/g2484756a6bca4d9ca3b636b9775705296ed6d403bdd9471aab55afb1d5448630?theme=dark",
            "https://viz.greynoise.io/ip/analysis/0fc0805a-ed20-4be0-b91e-f4189a9619ce",
            "https://www.filescan.io/uploads/68f5e2a5c85c5c56972eaebb/reports/56841543-5615-4517-b718-77e27b2e8819/ioc",
            "https://polyswarm.network/scan/results/file/3a069ad7325feb0cc4d18ef7347ebdbed6290c2285634a2b43e07c7c6a759451",
            "https://metadefender.com/results/file/bzI1MTAyMEJqaHhnTWEwLU1VS181QVhwNHlP",
            "https://viz.greynoise.io/ip/analysis/8f018fe6-9b92-4817-9dfd-e0e08177a92c - 10.29.25",
            "https://viz.greynoise.io/ip/analysis/450bed8c-fc0d-48cb-aebe-56941da4886b - 11.26.25"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 865,
            "hostname": 460,
            "URL": 1031,
            "FileHash-MD5": 3509,
            "email": 5,
            "FileHash-SHA1": 12,
            "FileHash-SHA256": 12
          },
          "indicator_count": 5894,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 130,
          "modified_text": "155 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6916e098df39114161354b23",
          "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ",
          "description": "",
          "modified": "2025-12-14T07:05:42.106000",
          "created": "2025-11-14T07:56:08.872000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65a76c2901b34c79a681596d",
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4295,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3255,
            "domain": 2911,
            "hostname": 2894,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13986,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "168 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68d62e5e038c036204e489ba",
          "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |",
          "description": "DiabloFans.com redirects to curse.llc a shopify  storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C",
          "modified": "2025-10-26T05:01:11.780000",
          "created": "2025-09-26T06:10:38.550000",
          "tags": [
            "handle",
            "entity",
            "host name",
            "rdap database",
            "iana registrar",
            "roles",
            "dnssec",
            "links",
            "namecheap",
            "namecheap inc",
            "script urls",
            "united",
            "unknown ns",
            "moved",
            "script domains",
            "passive dns",
            "ip address",
            "body",
            "gmt content",
            "type",
            "title",
            "date",
            "meta",
            "request",
            "get updates",
            "common upatre",
            "p2p zeus",
            "common header",
            "struct",
            "downloader",
            "exe download",
            "terse",
            "regsetvalueexa",
            "execution",
            "dock",
            "write",
            "next",
            "win32",
            "persistence",
            "malware",
            "copy",
            "unknown",
            "canada unknown",
            "alfper",
            "entries",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "reverse dns",
            "location canada",
            "twitter",
            "present sep",
            "cname",
            "name servers",
            "search",
            "creation date",
            "canada",
            "certificate",
            "trojan",
            "ontario",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "defense evasion",
            "spawns",
            "development att",
            "href",
            "show technique",
            "mitre att",
            "ck matrix",
            "script",
            "network related",
            "input url",
            "network traffic",
            "t1204",
            "copy md5",
            "copy sha1",
            "copy sha256",
            "size",
            "sha1",
            "sha256",
            "flag",
            "canada canada",
            "strings",
            "cloudflar",
            "google",
            "googlecl",
            "facebook",
            "as autonomous",
            "system",
            "hetznera",
            "detail domain",
            "domain tree",
            "links domain",
            "requested",
            "url https",
            "general full",
            "name value",
            "resource",
            "asn13335",
            "cloudflarenet",
            "hash",
            "protocol h3",
            "express",
            "value",
            "please",
            "automatic",
            "webgl",
            "september",
            "variables",
            "shopify",
            "shopifypay",
            "st boolean",
            "shopifyforms",
            "raven",
            "hstr",
            "next associated",
            "mtb may",
            "ipv4 add",
            "trojanspy",
            "trojandropper",
            "span",
            "path",
            "button",
            "circle",
            "link",
            "keychains",
            "choose",
            "input",
            "small",
            "close",
            "form",
            "stop",
            "anime",
            "kitty",
            "iframe",
            "null",
            "open",
            "tarot",
            "footer",
            "curse",
            "first",
            "back",
            "error",
            "config",
            "contact",
            "signs",
            "main",
            "payment",
            "window"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 236,
            "FileHash-MD5": 320,
            "FileHash-SHA1": 314,
            "FileHash-SHA256": 2288,
            "URL": 889,
            "hostname": 361,
            "SSLCertFingerprint": 1,
            "email": 2,
            "CVE": 1
          },
          "indicator_count": 4412,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "217 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68be65e95645ef1a6c8a898d",
          "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products",
          "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.",
          "modified": "2025-10-08T04:04:41.943000",
          "created": "2025-09-08T05:13:13.781000",
          "tags": [
            "mtb oct",
            "trojandropper",
            "avast avg",
            "backdoor",
            "trojan",
            "ubuntu",
            "passive dns",
            "federation flag",
            "asn as49505",
            "dns resolutions",
            "domains top",
            "level",
            "unique tlds",
            "dynamicloader",
            "high",
            "medium",
            "port",
            "delete c",
            "windows",
            "displayname",
            "tofsee",
            "grum",
            "stream",
            "powershell",
            "write",
            "malware",
            "hostile",
            "misa",
            "ipv4 add",
            "urls",
            "files",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "found",
            "command",
            "defense evasion",
            "adversaries",
            "spawns",
            "united",
            "orc5",
            "flag",
            "rhur3d",
            "title",
            "click",
            "strings",
            "refresh",
            "aids",
            "dzan",
            "sumo",
            "miny",
            "judi",
            "pattern match",
            "mitre att",
            "show technique",
            "ck matrix",
            "ascii text",
            "show process",
            "hybrid",
            "general",
            "local",
            "path",
            "t1480 execution",
            "null",
            "span",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "domain secure",
            "windows nt",
            "ogoogle trust",
            "zerossl ecc",
            "site ca0x1ex17r",
            "win64",
            "unknown",
            "encrypt",
            "search",
            "entries",
            "destination",
            "push",
            "next",
            "apple",
            "moved",
            "gmt content",
            "type",
            "content length",
            "ipv4",
            "date",
            "handle",
            "address range",
            "cidr",
            "network name",
            "allocation type",
            "assigned pi",
            "status",
            "whois server",
            "entity ipripe",
            "apnic",
            "url add",
            "http",
            "hostname",
            "files domain",
            "files related",
            "related tags",
            "ip address",
            "related nids",
            "files location",
            "flag united",
            "unknown ns",
            "name servers",
            "creation date",
            "emails",
            "pulse pulses",
            "pulses none",
            "none google",
            "safe browsing",
            "external",
            "location united",
            "asn as714",
            "less whois",
            "registrar",
            "ios",
            "iphone",
            "ipad",
            "australia",
            "dead host"
          ],
          "references": [
            "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
            "https://176.113.115.136/ohhiiiii/",
            "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
            "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
            "palantir-staging.staging.candidate.app.paulsjob.ai",
            "pornhub.com\t \u2022 www.pornhub.com",
            "appleaustralia.com",
            "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
            "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Muldrop",
              "display_name": "Muldrop",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "APNIC",
              "display_name": "APNIC",
              "target": null
            },
            {
              "id": "Win.Packer.pkr_ce1a-9980177-0",
              "display_name": "Win.Packer.pkr_ce1a-9980177-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [
            "Telecommunications",
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 1273,
            "FileHash-MD5": 347,
            "domain": 606,
            "hostname": 778,
            "FileHash-SHA256": 2724,
            "FileHash-SHA1": 322,
            "email": 9,
            "SSLCertFingerprint": 14,
            "CIDR": 3
          },
          "indicator_count": 6076,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "235 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "688b0fbceab364a2b84b1124",
          "name": "Busybox MIORI Hackers - ongoing  Aurora , Medical Campus -Mirai [by scoreblue -Team 8]",
          "description": "",
          "modified": "2025-07-31T06:39:56.204000",
          "created": "2025-07-31T06:39:56.204000",
          "tags": [
            "idnischdr http",
            "computer",
            "america asn",
            "as7018 att",
            "url https",
            "america",
            "united states",
            "united",
            "germany",
            "italy",
            "trojan",
            "all scoreblue",
            "report spam",
            "created",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "all search",
            "author avatar",
            "miori hackers",
            "file score",
            "detections elf",
            "path",
            "busybox busybox",
            "brute force",
            "attack bad",
            "login yara",
            "detections",
            "sid name",
            "malware cve",
            "suspicious path",
            "busybox",
            "activity",
            "system",
            "malware beacon",
            "bad login",
            "attack",
            "port",
            "destination",
            "show",
            "search",
            "exif data",
            "property value",
            "elf info",
            "key value",
            "x86 baddr",
            "elf64 crypto",
            "final url",
            "ip address",
            "status code",
            "body",
            "kb body",
            "sha256",
            "server",
            "gmt connection",
            "date sun",
            "gmt contenttype",
            "filehashsha256",
            "crazy doll",
            "next",
            "key identifier",
            "x509v3 subject",
            "data",
            "v3 serial",
            "number",
            "cgb stgreater",
            "cnsectigo rsa",
            "secure server",
            "ca validity",
            "cus stcolorado",
            "info",
            "director",
            "orgtechhandle",
            "orgtechref",
            "university",
            "whois lookup",
            "netrange",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "network",
            "registry arin",
            "country us",
            "continent na",
            "meta",
            "script script",
            "lance mueller",
            "mueller",
            "unknown",
            "script urls",
            "photography",
            "passive dns",
            "urls",
            "model",
            "creation date",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "domain",
            "status",
            "http",
            "record value",
            "emails",
            "dnssec",
            "domain name",
            "backdoor",
            "bad request",
            "entries",
            "title style",
            "f2f2f2 color",
            "helvetica neue",
            "exploit",
            "browse scan",
            "endpoints all",
            "search otx",
            "related pulses",
            "file samples",
            "files matching",
            "as44273 host",
            "showing",
            "telper",
            "date hash",
            "copyright",
            "url http",
            "win64",
            "as53665 bodis",
            "aaaa",
            "as206834 team",
            "canada unknown",
            "read c",
            "create c",
            "write c",
            "msie",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "delete c",
            "dock",
            "write",
            "execution",
            "copy",
            "xport",
            "1575038779",
            "medium",
            "capture",
            "malware",
            "february",
            "as61969 team",
            "servers",
            "domain robot",
            "expiration date",
            "as714 apple",
            "as42 woodynet",
            "nxdomain",
            "name servers",
            "a nxdomain",
            "ipv4",
            "found",
            "control",
            "content type",
            "as20940",
            "asnone united",
            "as701 verizon",
            "as2914 ntt",
            "win32",
            "certificate",
            "date",
            "dynamicloader",
            "high",
            "t1055",
            "attempts",
            "yara detections",
            "bitcoinaltcoin",
            "code injection",
            "high defense",
            "ip related",
            "pulses otx",
            "pulses",
            "overview domain",
            "files ip",
            "address domain",
            "related tags",
            "pulse pulses",
            "div div",
            "as49505",
            "span",
            "form",
            "as6185 apple",
            "china",
            "as4812 china",
            "as17816 china",
            "as4134 chinanet",
            "scan endpoints",
            "trojan features",
            "enigmaprotector",
            "dynamic",
            "powershell",
            "filehash",
            "for privacy",
            "ltd dba",
            "com laude",
            "cname",
            "cve20170147 sep",
            "verdict",
            "as63949 linode",
            "https",
            "as8075",
            "united kingdom",
            "whitelisted",
            "as25825",
            "moved",
            "aurora",
            "redacted for",
            "whois lookups",
            "orgid",
            "east",
            "seen",
            "update date",
            "cidr",
            "netname uch",
            "parent net168",
            "nettype direct",
            "contacted",
            "tulach",
            "brian sabey"
          ],
          "references": [
            "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ ||  [Trj] http://itsupport.uchealth.org/",
            "ELF:Mirai-TO\\ [Trj] 12.111.210.191 |  United States of America ASN AS7018 att services inc",
            "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
            "ELF:Mirai-TO\\ [Trj] tulach.cc",
            "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
            "IDS Detections:  busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox",
            "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login",
            "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
            "Yara Detections: is__elf",
            "168.200.5.0/24: Autonomous System Number :18693 ||  Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US",
            "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63",
            "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |",
            "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html",
            "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com",
            "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net  ns2.parkingcrew.net",
            "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend",
            "Title The page title. Chieti Meteo - Webcam Abruzzo",
            "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55",
            "savethemalesdenver.com | brasville.com.br?",
            "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org",
            "Basic Properties Regional Internet Registry ARIN   Country US   Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US",
            "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:",
            "Address 198.185.159.144 ,  198.185.159.145 ,  198.49.23.144 ,  198.49.23.145",
            "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com",
            "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit",
            "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin",
            "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request",
            "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)",
            "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349",
            "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584",
            "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912",
            "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910",
            "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t  | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t  URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t  URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556  | http://girlsandtheir.webcam/&_=1727665483552",
            "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.",
            "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam",
            "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4",
            "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com",
            "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net",
            "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com",
            "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3",
            "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector ,  xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg",
            "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644",
            "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security",
            "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies  deletes_executed_files infostealer_bitcoin injection_createremotethread",
            "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com",
            "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com"
          ],
          "public": 1,
          "adversary": "busybox MIORI Hackers",
          "targeted_countries": [
            "United States of America",
            "Mexico"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Bulilit",
              "display_name": "TrojanDownloader:Win32/Bulilit",
              "target": "/malware/TrojanDownloader:Win32/Bulilit"
            },
            {
              "id": "ELF:Mirai-TO\\ [Trj]",
              "display_name": "ELF:Mirai-TO\\ [Trj]",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai.B",
              "display_name": "Backdoor:Linux/Mirai.B",
              "target": "/malware/Backdoor:Linux/Mirai.B"
            },
            {
              "id": "TELPER:HSTR:DotCisOffer",
              "display_name": "TELPER:HSTR:DotCisOffer",
              "target": null
            },
            {
              "id": "TrojanSpy:Win32/Nivdort",
              "display_name": "TrojanSpy:Win32/Nivdort",
              "target": "/malware/TrojanSpy:Win32/Nivdort"
            },
            {
              "id": "Backdoor:Win32/Bladabindi",
              "display_name": "Backdoor:Win32/Bladabindi",
              "target": "/malware/Backdoor:Win32/Bladabindi"
            },
            {
              "id": "ALF:E5",
              "display_name": "ALF:E5",
              "target": null
            },
            {
              "id": "Win.Malware.Midie-9950743-0",
              "display_name": "Win.Malware.Midie-9950743-0",
              "target": null
            },
            {
              "id": "Trojan:Win32/Emotet.ARJ!MTB",
              "display_name": "Trojan:Win32/Emotet.ARJ!MTB",
              "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB"
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66fb3c4e8a2593134641f3c0",
          "export_count": 19,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 459,
            "FileHash-MD5": 1228,
            "FileHash-SHA1": 1163,
            "FileHash-SHA256": 2243,
            "domain": 876,
            "hostname": 1088,
            "CIDR": 2,
            "email": 17,
            "CVE": 2,
            "SSLCertFingerprint": 5
          },
          "indicator_count": 7083,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "304 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66fc29a49b5ac693c8d75122",
          "name": "Medical Campus - Aurora, Co | Recheck",
          "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB",
          "modified": "2024-10-31T16:03:52.240000",
          "created": "2024-10-01T16:56:04.004000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 53,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3850,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3329,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31779,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 236,
          "modified_text": "576 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66fb3c4e8a2593134641f3c0",
          "name": "busybox MIORI Hackers - attack Aurora, Medical Campus -Mirai",
          "description": "*Tipped-Patient reports computers with fully locked screens log in every time she enters a room at UC Health Anshutz Campus. Unauthorized Login: http://ITSupport.UCHealth.org. Graphs deleted from Virus Total\u00bbLogin ID: 168.200.45.168 [bound]. I've tried to post pulse multiple times. IP's were contacted. Brute force attempts on my device. Anyway it's Tulach. There is a 'pro- ale' and other 'monitoring, silencing, dangerous groups'  silencing crime victims, journalists, dissents, potential whistle blowers. One victim attacked physically losing health battle. Doctors unwilling to treat.Auto populated\u00bb The full text of the Mirai-TO malware, which was launched on Friday, has now been published on the website of www.forensickb.co.uk..com. hmmm...there was a counter attack.",
          "modified": "2024-10-30T22:04:06.705000",
          "created": "2024-10-01T00:03:26.199000",
          "tags": [
            "idnischdr http",
            "computer",
            "america asn",
            "as7018 att",
            "url https",
            "america",
            "united states",
            "united",
            "germany",
            "italy",
            "trojan",
            "all scoreblue",
            "report spam",
            "created",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "all search",
            "author avatar",
            "miori hackers",
            "file score",
            "detections elf",
            "path",
            "busybox busybox",
            "brute force",
            "attack bad",
            "login yara",
            "detections",
            "sid name",
            "malware cve",
            "suspicious path",
            "busybox",
            "activity",
            "system",
            "malware beacon",
            "bad login",
            "attack",
            "port",
            "destination",
            "show",
            "search",
            "exif data",
            "property value",
            "elf info",
            "key value",
            "x86 baddr",
            "elf64 crypto",
            "final url",
            "ip address",
            "status code",
            "body",
            "kb body",
            "sha256",
            "server",
            "gmt connection",
            "date sun",
            "gmt contenttype",
            "filehashsha256",
            "crazy doll",
            "next",
            "key identifier",
            "x509v3 subject",
            "data",
            "v3 serial",
            "number",
            "cgb stgreater",
            "cnsectigo rsa",
            "secure server",
            "ca validity",
            "cus stcolorado",
            "info",
            "director",
            "orgtechhandle",
            "orgtechref",
            "university",
            "whois lookup",
            "netrange",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "network",
            "registry arin",
            "country us",
            "continent na",
            "meta",
            "script script",
            "lance mueller",
            "mueller",
            "unknown",
            "script urls",
            "photography",
            "passive dns",
            "urls",
            "model",
            "creation date",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "domain",
            "status",
            "http",
            "record value",
            "emails",
            "dnssec",
            "domain name",
            "backdoor",
            "bad request",
            "entries",
            "title style",
            "f2f2f2 color",
            "helvetica neue",
            "exploit",
            "browse scan",
            "endpoints all",
            "search otx",
            "related pulses",
            "file samples",
            "files matching",
            "as44273 host",
            "showing",
            "telper",
            "date hash",
            "copyright",
            "url http",
            "win64",
            "as53665 bodis",
            "aaaa",
            "as206834 team",
            "canada unknown",
            "read c",
            "create c",
            "write c",
            "msie",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "delete c",
            "dock",
            "write",
            "execution",
            "copy",
            "xport",
            "1575038779",
            "medium",
            "capture",
            "malware",
            "february",
            "as61969 team",
            "servers",
            "domain robot",
            "expiration date",
            "as714 apple",
            "as42 woodynet",
            "nxdomain",
            "name servers",
            "a nxdomain",
            "ipv4",
            "found",
            "control",
            "content type",
            "as20940",
            "asnone united",
            "as701 verizon",
            "as2914 ntt",
            "win32",
            "certificate",
            "date",
            "dynamicloader",
            "high",
            "t1055",
            "attempts",
            "yara detections",
            "bitcoinaltcoin",
            "code injection",
            "high defense",
            "ip related",
            "pulses otx",
            "pulses",
            "overview domain",
            "files ip",
            "address domain",
            "related tags",
            "pulse pulses",
            "div div",
            "as49505",
            "span",
            "form",
            "as6185 apple",
            "china",
            "as4812 china",
            "as17816 china",
            "as4134 chinanet",
            "scan endpoints",
            "trojan features",
            "enigmaprotector",
            "dynamic",
            "powershell",
            "filehash",
            "for privacy",
            "ltd dba",
            "com laude",
            "cname",
            "cve20170147 sep",
            "verdict",
            "as63949 linode",
            "https",
            "as8075",
            "united kingdom",
            "whitelisted",
            "as25825",
            "moved",
            "aurora",
            "redacted for",
            "whois lookups",
            "orgid",
            "east",
            "seen",
            "update date",
            "cidr",
            "netname uch",
            "parent net168",
            "nettype direct",
            "contacted",
            "tulach",
            "brian sabey"
          ],
          "references": [
            "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ ||  [Trj] http://itsupport.uchealth.org/",
            "ELF:Mirai-TO\\ [Trj] 12.111.210.191 |  United States of America ASN AS7018 att services inc",
            "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
            "ELF:Mirai-TO\\ [Trj] tulach.cc",
            "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
            "IDS Detections:  busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox",
            "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login",
            "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
            "Yara Detections: is__elf",
            "168.200.5.0/24: Autonomous System Number :18693 ||  Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US",
            "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63",
            "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |",
            "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html",
            "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com",
            "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net  ns2.parkingcrew.net",
            "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend",
            "Title The page title. Chieti Meteo - Webcam Abruzzo",
            "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55",
            "savethemalesdenver.com | brasville.com.br?",
            "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org",
            "Basic Properties Regional Internet Registry ARIN   Country US   Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US",
            "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:",
            "Address 198.185.159.144 ,  198.185.159.145 ,  198.49.23.144 ,  198.49.23.145",
            "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com",
            "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit",
            "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin",
            "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request",
            "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)",
            "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349",
            "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584",
            "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912",
            "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910",
            "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t  | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t  URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t  URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556  | http://girlsandtheir.webcam/&_=1727665483552",
            "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.",
            "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam",
            "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4",
            "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com",
            "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net",
            "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com",
            "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3",
            "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector ,  xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg",
            "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644",
            "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security",
            "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies  deletes_executed_files infostealer_bitcoin injection_createremotethread",
            "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com",
            "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com"
          ],
          "public": 1,
          "adversary": "busybox MIORI Hackers",
          "targeted_countries": [
            "United States of America",
            "Mexico"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Bulilit",
              "display_name": "TrojanDownloader:Win32/Bulilit",
              "target": "/malware/TrojanDownloader:Win32/Bulilit"
            },
            {
              "id": "ELF:Mirai-TO\\ [Trj]",
              "display_name": "ELF:Mirai-TO\\ [Trj]",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai.B",
              "display_name": "Backdoor:Linux/Mirai.B",
              "target": "/malware/Backdoor:Linux/Mirai.B"
            },
            {
              "id": "TELPER:HSTR:DotCisOffer",
              "display_name": "TELPER:HSTR:DotCisOffer",
              "target": null
            },
            {
              "id": "TrojanSpy:Win32/Nivdort",
              "display_name": "TrojanSpy:Win32/Nivdort",
              "target": "/malware/TrojanSpy:Win32/Nivdort"
            },
            {
              "id": "Backdoor:Win32/Bladabindi",
              "display_name": "Backdoor:Win32/Bladabindi",
              "target": "/malware/Backdoor:Win32/Bladabindi"
            },
            {
              "id": "ALF:E5",
              "display_name": "ALF:E5",
              "target": null
            },
            {
              "id": "Win.Malware.Midie-9950743-0",
              "display_name": "Win.Malware.Midie-9950743-0",
              "target": null
            },
            {
              "id": "Trojan:Win32/Emotet.ARJ!MTB",
              "display_name": "Trojan:Win32/Emotet.ARJ!MTB",
              "target": "/malware/Trojan:Win32/Emotet.ARJ!MTB"
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 38,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 459,
            "FileHash-MD5": 1228,
            "FileHash-SHA1": 1163,
            "FileHash-SHA256": 2243,
            "domain": 876,
            "hostname": 1088,
            "CIDR": 2,
            "email": 17,
            "CVE": 2,
            "SSLCertFingerprint": 5
          },
          "indicator_count": 7083,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 232,
          "modified_text": "577 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66f100d791f9f9f6ab7b4f24",
          "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
          "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
          "modified": "2024-10-23T05:03:21.045000",
          "created": "2024-09-23T05:47:03.625000",
          "tags": [
            "isp charter",
            "usage type",
            "fixed line",
            "isp hostname",
            "domain name",
            "country united",
            "america city",
            "denver",
            "colorado",
            "ip address",
            "whois",
            "check",
            "information isp",
            "inc usage",
            "type fixed",
            "line isp",
            "hostname",
            "plesk forum",
            "centos web",
            "panel forum",
            "whois lookup",
            "netrange",
            "nethandle",
            "net107",
            "net1070000",
            "cc3517",
            "inc orgid",
            "dr city",
            "stateprov",
            "postalcode",
            "status",
            "as7843 charter",
            "united",
            "name servers",
            "passive dns",
            "urls",
            "domain",
            "search",
            "emails",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "files",
            "reverse dns",
            "location united",
            "win32",
            "abuseipdb",
            "read",
            "write",
            "read c",
            "server header",
            "show",
            "suspicious",
            "kelihos",
            "trojan",
            "artemis",
            "virustotal",
            "download",
            "drweb",
            "vipre",
            "panda",
            "malware",
            "specified",
            "next",
            "et trojan",
            "et info",
            "medium",
            "http",
            "ids detections",
            "yara detections",
            "e98c1cec8156",
            "as11426 charter",
            "as20001 charter",
            "as11427 charter",
            "as11351 charter",
            "as16787 charter",
            "as33363 charter",
            "as20115 charter",
            "as10796 charter",
            "as12271 charter",
            "body",
            "servers",
            "all search",
            "entries",
            "intel",
            "ms windows",
            "windows nt",
            "destination",
            "port",
            "asnone",
            "heurunsec",
            "etpro trojan",
            "nxdomain",
            "a nxdomain",
            "aaaa",
            "asnone united",
            "aaaa nxdomain",
            "backdoor",
            "pulse submit",
            "url analysis",
            "location oxford",
            "as3456 charter",
            "moved",
            "showing",
            "body doctype",
            "html public",
            "ietfdtd html",
            "as6976 verizon",
            "as701 verizon",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "levelblue",
            "related pulses",
            "pulse pulses",
            "kryptikpii",
            "msr apr",
            "date",
            "creation date",
            "analyzer paste",
            "iocs",
            "samples",
            "secure server",
            "cname",
            "as5742",
            "body head",
            "object moved",
            "content length",
            "content type",
            "cookie",
            "as15133 verizon",
            "lowfi",
            "gmt server",
            "ecacc",
            "record value",
            "oxford",
            "michigan",
            "ns nxdomain",
            "soa nxdomain",
            "url http",
            "mitre att",
            "evasion ta0005",
            "creates",
            "discovery t1082",
            "reads software",
            "file",
            "t1083 reads",
            "jujubox",
            "zenbox",
            "get http",
            "request",
            "host",
            "win64",
            "khtml",
            "gecko",
            "response",
            "cus cndigicert",
            "tls rsa",
            "user",
            "javascript c",
            "doscom c",
            "text c",
            "files c",
            "storage",
            "file system",
            "filesadobe c",
            "appdata",
            "appdatalocal",
            "hostnames",
            "ta0002 command",
            "t1059 very",
            "t1064",
            "javascript",
            "modules t1129",
            "ta0003 create",
            "modify system",
            "process t1543",
            "windows service",
            "cisco umbrella",
            "blacklist",
            "safe site",
            "filerepmalware",
            "microsoft",
            "phishing bank",
            "sgeneric",
            "malware site",
            "unsafe",
            "number",
            "cus cngts",
            "ogoogle trust",
            "subject",
            "algorithm",
            "cus ouserver",
            "ouserver ca",
            "record type",
            "ttl value",
            "msms86718722",
            "query",
            "open",
            "capa",
            "create process",
            "windows create",
            "delete file",
            "write file",
            "windows check",
            "os version",
            "enumerate",
            "hashes",
            "signals mutexes",
            "mutexes",
            "open threat",
            "location los",
            "emails info",
            "expiration date",
            "write c",
            "process32nextw",
            "regsetvalueexa",
            "regdword",
            "module load",
            "t1129",
            "as51167 contabo",
            "germany unknown",
            "as40021 contabo",
            "encrypt",
            "hosting",
            "netherlands asn",
            "as204601 zomro",
            "pulses",
            "tags",
            "related tags",
            "indicator facts",
            "historical otx",
            "files ip",
            "asnone germany",
            "as174 cogent",
            "czechia unknown",
            "whitelisted",
            "certificate",
            "bittorrent dht",
            "post http",
            "et p2p",
            "cryptexportkey",
            "invalid pointer",
            "delete c",
            "post utcore",
            "benchhttp",
            "mozilla",
            "maldoc",
            "service",
            "tools",
            "nids",
            "et",
            "x95xd3xa4",
            "regbinary",
            "hx88x89",
            "kx82xd3x11",
            "xb9x8b",
            "x8dxb7xb7",
            "hx88x9ax1e",
            "mx81xd1r",
            "x92xac",
            "stream",
            "persistence",
            "execution",
            "dynamicloader",
            "contacted",
            "domains",
            "yara rule",
            "high",
            "dynamic",
            "pcap",
            "pushdo",
            "msie",
            "activity beacon",
            "malware beacon",
            "default",
            "redacted for",
            "for privacy",
            "as3379 kaiser",
            "server",
            "gmt content",
            "type",
            "x frame",
            "entries http",
            "scans show",
            "domain related",
            "no data",
            "tag count",
            "fakedout threat",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "detection list",
            "components",
            "zune",
            "etpro",
            "nod32",
            "avast avg",
            "next http",
            "example domain",
            "title meta",
            "invalid url",
            "akamai",
            "urls http",
            "as20940",
            "as16625 akamai",
            "netherlands",
            "germany",
            "france",
            "virtool",
            "rock",
            "address",
            "apache",
            "accept",
            "as8075",
            "pulse http",
            "related nids",
            "files location",
            "moldova related",
            "pulses none",
            "as31898 oracle",
            "title",
            "kryptiklfq",
            "win32dh",
            "vitro",
            "shutdown",
            "erase",
            "find",
            "close",
            "as53418",
            "hat server",
            "as797 att",
            "script urls",
            "a domains",
            "as10753 level",
            "script script",
            "meta",
            "path",
            "null",
            "stop",
            "as54113",
            "chrome",
            "as7018 att",
            "as28521",
            "mexico unknown",
            "fastly error",
            "please",
            "sea p",
            "object",
            "set cookie",
            "pragma",
            "as19536 directv",
            "united kingdom",
            "as60664 xion",
            "trojan features",
            "moldova unknown",
            "susp",
            "breaking news",
            "business",
            "finance",
            "entertainment",
            "sports",
            "games",
            "trending videos",
            "weather",
            "home",
            "as396982 google",
            "url https",
            "type indicator",
            "role title",
            "added active",
            "cyberfolks",
            ".pl",
            "level 3"
          ],
          "references": [
            "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
            "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
            "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
            "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
            "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
            "IDS Detections: Suspicious double Server Header Possible Kelihos",
            "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
            "telemetry-incoming.r53-2.services.mozilla.com",
            "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
            "http://www.door.net/ARISBE/arisbe.htm",
            "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
            "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Hungary",
            "Ukraine",
            "Spain",
            "Brazil",
            "Russian Federation",
            "Moldova, Republic of",
            "Japan",
            "Ireland",
            "Luxembourg",
            "Canada"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Cerber Ransomware",
              "display_name": "Cerber Ransomware",
              "target": null
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Inject3.QGY",
              "display_name": "Inject3.QGY",
              "target": null
            },
            {
              "id": "Kelihos",
              "display_name": "Kelihos",
              "target": null
            },
            {
              "id": "ETPRO",
              "display_name": "ETPRO",
              "target": null
            },
            {
              "id": "NOD32",
              "display_name": "NOD32",
              "target": null
            },
            {
              "id": "VirTool:Win32/Obfuscator",
              "display_name": "VirTool:Win32/Obfuscator",
              "target": "/malware/VirTool:Win32/Obfuscator"
            },
            {
              "id": "Sf:ShellCode-AU\\ [Trj]",
              "display_name": "Sf:ShellCode-AU\\ [Trj]",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba",
              "display_name": "Trojan:Win32/Glupteba",
              "target": "/malware/Trojan:Win32/Glupteba"
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2060,
            "hostname": 3067,
            "CIDR": 4,
            "URL": 1300,
            "email": 29,
            "FileHash-MD5": 3181,
            "FileHash-SHA1": 1994,
            "FileHash-SHA256": 3228,
            "CVE": 2,
            "SSLCertFingerprint": 1
          },
          "indicator_count": 14866,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "585 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66cec16f4b510d325dc923a1",
          "name": "192.70.175.110 - ELF:Hajime-Q _ Mirai Botnet Malware",
          "description": "Private IP 192.70.175.110 | Reverse DNS\ndns1.state.co.us showed Mirai Bonet Malware. Under same IP address is an 'alleged' unknown REGRU-RU Passive DNS ns1.ns2.www.madunixxx.ru with a password compromise \u00bb PSW.Generic12.WIO.  \nIt's unclear if a Frank Muccio Admin of Security Operations doesn't appear to work on premise in Colorado, There is a Frank Di Muccio SGT involved with RallyPoint, , described as a social group for military personal. Rally Point was seen in very early graphs featuring alleged Rallypoint Pornhub Devs, tied to Brian Sabey. I wasn't able to personally verify this employee in Colorado Possibly contracted OIT by state . The link was recently whitelisted.",
          "modified": "2024-09-27T03:03:09.340000",
          "created": "2024-08-28T06:19:27.154000",
          "tags": [
            "as36081 state",
            "location united",
            "america asn",
            "dns resolutions",
            "domains top",
            "level",
            "unique tlds",
            "mirai",
            "united states",
            "united",
            "ave suite",
            "purpose p5",
            "country united",
            "code us",
            "name security",
            "nexus category",
            "phone number",
            "postal code",
            "network",
            "number",
            "country us",
            "continent na",
            "algorithm",
            "data",
            "v3 serial",
            "cus oapple",
            "public ev",
            "server ecc",
            "g1 validity",
            "organization",
            "subject public",
            "rauschenberg",
            "apple computer",
            "applec1z",
            "mitre att",
            "evasion ta0005",
            "hashes",
            "msie",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "response",
            "request",
            "accept",
            "location https",
            "taiwan as3462",
            "south korea",
            "as4766 korea",
            "high",
            "japan as17676",
            "china as45090",
            "http",
            "search",
            "contacted",
            "malware",
            "copy",
            "as41231",
            "united kingdom",
            "status",
            "aaaa",
            "ddos",
            "whitelisted",
            "certificate",
            "moved",
            "trojan",
            "virtool",
            "encrypt",
            "software",
            "initial",
            "passive dns",
            "scan endpoints",
            "all scoreblue",
            "body",
            "a domains",
            "linux ubuntu",
            "creation date",
            "enterprise open",
            "ubuntu",
            "linux",
            "social",
            "window",
            "code",
            "ipv4",
            "urls",
            "files",
            "reverse dns",
            "trojan features",
            "file samples",
            "files matching",
            "date hash",
            "domain",
            "address",
            "name servers",
            "servers",
            "intel",
            "icmp traffic",
            "dead_host",
            "network_icmp",
            "osquery_detection",
            "nolookup_communication",
            "pulse pulses",
            "unknown",
            "as20940",
            "as15169 google",
            "dns show",
            "status hostname",
            "query type",
            "address first",
            "seen last",
            "seen asn",
            "country unknown",
            "province co",
            "error",
            "tr tr",
            "pulse submit",
            "url analysis",
            "hostname",
            "files ip",
            "asnone united",
            "ireland unknown",
            "brazil unknown",
            "next",
            "showing",
            "gmt content",
            "apache cache",
            "pragma",
            "record value",
            "trojanproxy",
            "win32",
            "title",
            "server",
            "alf features",
            "related pulses",
            "show",
            "ip address",
            "asn as16509",
            "china unknown",
            "hichina",
            "hong kong",
            "as133775 xiamen",
            "web server",
            "authentication",
            "tls web",
            "full name",
            "ca issuers",
            "as44273 host",
            "a nxdomain",
            "avast avg",
            "russia unknown",
            "germany unknown",
            "turkey unknown",
            "japan unknown",
            "as16276",
            "france unknown",
            "service",
            "ck ids",
            "t1082",
            "t1129",
            "modules",
            "t1045",
            "packing",
            "t1060",
            "run keys",
            "startup"
          ],
          "references": [
            "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0",
            "Unix.Trojan.Mirai-6976991-0  FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]",
            "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru",
            "Yara: Mirai_Botnet_Malware",
            "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
            "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom",
            "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21",
            "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO",
            "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us",
            "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]",
            "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a",
            "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru",
            "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive",
            "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru  Created: Jun 19, 2016",
            "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com",
            "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 |  ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |",
            "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com",
            "Yara Detections Mirai_Botnet_Malware",
            "Detections Executable and linking format (ELF) file download Over HTTP",
            "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
            "Detections Executable and linking format (ELF) file download Over HTTP",
            "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College"
          ],
          "public": 1,
          "adversary": "Frank Di MuccioSGT",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "DDoS:Linux/Lightaidra",
              "display_name": "DDoS:Linux/Lightaidra",
              "target": "/malware/DDoS:Linux/Lightaidra"
            },
            {
              "id": "Trojan:Win32/Skeeyah",
              "display_name": "Trojan:Win32/Skeeyah",
              "target": "/malware/Trojan:Win32/Skeeyah"
            },
            {
              "id": "ALF:Trojan:Win32/FlyStudio.PA!MTB",
              "display_name": "ALF:Trojan:Win32/FlyStudio.PA!MTB",
              "target": null
            },
            {
              "id": "Win.Trojan.Tofsee-6840338-0",
              "display_name": "Win.Trojan.Tofsee-6840338-0",
              "target": null
            },
            {
              "id": "Win.Malware.Snojan-6775202-0",
              "display_name": "Win.Malware.Snojan-6775202-0",
              "target": null
            },
            {
              "id": "#LowFiEnableDTContinueAfterUnpacking",
              "display_name": "#LowFiEnableDTContinueAfterUnpacking",
              "target": null
            },
            {
              "id": "PSW.Generic12.WIO",
              "display_name": "PSW.Generic12.WIO",
              "target": null
            },
            {
              "id": "ELF:Hajime-Q",
              "display_name": "ELF:Hajime-Q",
              "target": null
            },
            {
              "id": "Botnet",
              "display_name": "Botnet",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1498",
              "name": "Network Denial of Service",
              "display_name": "T1498 - Network Denial of Service"
            },
            {
              "id": "T1499",
              "name": "Endpoint Denial of Service",
              "display_name": "T1499 - Endpoint Denial of Service"
            },
            {
              "id": "T1110.002",
              "name": "Password Cracking",
              "display_name": "T1110.002 - Password Cracking"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1601",
              "name": "Modify System Image",
              "display_name": "T1601 - Modify System Image"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            },
            {
              "id": "T1078.001",
              "name": "Default Accounts",
              "display_name": "T1078.001 - Default Accounts"
            },
            {
              "id": "TA0005",
              "name": "Defense Evasion",
              "display_name": "TA0005 - Defense Evasion"
            },
            {
              "id": "T1147",
              "name": "Hidden Users",
              "display_name": "T1147 - Hidden Users"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1583.002",
              "name": "DNS Server",
              "display_name": "T1583.002 - DNS Server"
            }
          ],
          "industries": [
            "Telecommunications",
            "Government",
            "Civilian Society"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1108,
            "hostname": 627,
            "domain": 628,
            "URL": 534,
            "FileHash-MD5": 377,
            "FileHash-SHA1": 373,
            "email": 12,
            "CIDR": 2,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 3663,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 231,
          "modified_text": "611 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66c235b05007103d3e3e7038",
          "name": "HCA -  Win32:RansomX-gen affecting HCA (HealthOneCares) + Miscellaneous Attacks",
          "description": "HCA (Health One Cares) affected by a RansomX and various serious attacks. It's linked back to a neurosurgeon who is likely not responsible for attack of course. It has been the same,e group of attackers using Samuel Tulach engineered malware. I'm unsure if there is collusion between Brian Sabey (consistent attacker) and Samuel Tulach. I just know it relates back to the same threat actors that have been hacking healthcare facilities, government offices, telecommunications, technology at health centers abusing webcams and patients records modification, and distribution. PHI PII issues.",
          "modified": "2024-09-17T17:01:24.349000",
          "created": "2024-08-18T17:56:00.485000",
          "tags": [
            "blacklist http",
            "safe site",
            "no data",
            "tag count",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "cisco umbrella",
            "site",
            "alexa top",
            "united",
            "million",
            "mail spammer",
            "malicious site",
            "phishing site",
            "team phishing",
            "tofsee",
            "malware",
            "bank",
            "unsafe",
            "azorult",
            "cobalt strike",
            "service",
            "runescape",
            "facebook",
            "download",
            "zbot",
            "installcore",
            "nymaim",
            "suppobox",
            "malicious",
            "cl0p",
            "inmortal",
            "domains",
            "referrer",
            "historical ssl",
            "apple stuff",
            "combined",
            "hr rtd",
            "network",
            "collection",
            "vt graph",
            "round",
            "metro",
            "execution",
            "emotet",
            "startpage",
            "maltiverse top",
            "paypal",
            "blacklist",
            "passive dns",
            "related nids",
            "urls",
            "flag united",
            "accept",
            "acceptencoding",
            "hit age",
            "ip asn",
            "malware site",
            "adware",
            "fakealert",
            "opencandy",
            "exploit",
            "raccoon",
            "metastealer",
            "redline stealer",
            "anonymizer",
            "heur",
            "outlook",
            "phishing airbnb",
            "engineering",
            "phishing",
            "filerepmalware",
            "maltiverse",
            "div div",
            "c span",
            "div section",
            "span div",
            "search",
            "showing",
            "unknown",
            "as397240",
            "moved",
            "date",
            "body",
            "as54113",
            "github pages",
            "a domains",
            "entries",
            "mtb jul",
            "class",
            "sea x",
            "scan endpoints",
            "all scoreblue",
            "alf features",
            "related pulses",
            "file samples",
            "files matching",
            "show",
            "date hash",
            "next",
            "worm",
            "dynamicloader",
            "yara rule",
            "high",
            "windows",
            "grum",
            "medium",
            "installs",
            "windows startup",
            "application",
            "stream",
            "as22612",
            "ipv4",
            "pulse pulses",
            "files",
            "switch dns",
            "query",
            "data",
            "noname057",
            "password",
            "cybercrime",
            "malicious url",
            "kuaizip",
            "team",
            "downloader",
            "generic",
            "crack",
            "presenoker",
            "dapato",
            "riskware",
            "genkryptik",
            "fuery",
            "agent",
            "wacatac",
            "union",
            "shellexecuteexw",
            "hash",
            "writeconsolew",
            "registry",
            "t1031",
            "trojan",
            "copy",
            "dock",
            "write",
            "win32",
            "file execution",
            "explorer",
            "alerts",
            "checks",
            "bios",
            "system restore",
            "anne",
            "training",
            "strings http",
            "basic telephone",
            "xsl stylesheets",
            "apache fop",
            "createdate",
            "modifydate",
            "producer apache",
            "format",
            "core",
            "nxscspu",
            "zsextbzusbrvsk",
            "pxnzj",
            "jwxkrhdlrivprs",
            "default",
            "qxrfnjuodik",
            "mncau",
            "csqvrkwsqka",
            "testpath path",
            "else",
            "null",
            "suspicious",
            "win64",
            "hotkey",
            "ransom",
            "icmp traffic",
            "packing t1045",
            "t1045",
            "pdb path",
            "pe resource",
            "push"
          ],
          "references": [
            "https://www.healthonecares.com/physicians/profile/xxxxxxxxxx-MD | Attacker is tracking & hacking every service target has used.",
            "Adversary: https://tulach.cc/ - Maware engineer. It's believed his malware is being used by Brian Sabey of Hall Render",
            "Adversary: https://github.com/SamuelTulach/VirusTotalUploader",
            "https://work.a-poster.info",
            "Emotet: FileHash-MD5 9e78accf19de70b1e614c9bd9d9a7928",
            "Emotet:   FileHash-SHA1 2493981a18613a750ac3165199ec030a7c00663f",
            "Emotet: FileHash-SHA256 0071c6eea86a219777df283cc476ca450df4b04f4c7ed0eb48fbdf3a9cf7888f",
            "http://feeds.soundcloud.com/users/soundcloud:users:73198681/sounds.rss",
            "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec",
            "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec",
            "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA256 00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32",
            "pornhero.net| itsyourporn.com | http://cdn.itsyourporn.com | http://cdn.itsyourporn.com/assets/images/logo.jpg.  http://cdn2.video.itsyourporn.com | https://cdn.itsyourporn.com | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "Antivirus Detections Other:Malware-gen\\ [Trj] ,  ALF:TrojanDownloader:PowerShell/Ploprolo.DB  Alerts network_icmp nolookup_communication injection_resumethread suspicious_powershell",
            "IDS Detections: IDS Detections SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)",
            "IDS Detections: Possible HTA Application Download Dotted Quad Host HTA Request HTTP request for .exe file with no User-Agent",
            "Alerts: network_icmp nolookup_communication injection_resumethread suspicious_powershell network_cnc_http",
            "Antivirus Detections: Win.Malware.Moonlight-9919383-0 ,  Worm:Win32/Lightmoon.H",
            "Yara Detections: Nrv2x ,  upx_3 ,  UPX_OEP_place ,  UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX",
            "Alerts: antidebug_windows infostealer_cookies persistence_autorun antivm_generic_bios deletes_executed_files",
            "Alerts: disables_system_restore infostealer_mail persistence_ifeo recon_fingerprint stealth_hidden_extension stealth_hiddenreg"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Cl0p",
              "display_name": "Cl0p",
              "target": null
            },
            {
              "id": "Inmortal",
              "display_name": "Inmortal",
              "target": null
            },
            {
              "id": "Domains",
              "display_name": "Domains",
              "target": null
            },
            {
              "id": "ALF:Trojan:Win32/Cassini_f28c33a2",
              "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2",
              "target": null
            },
            {
              "id": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn",
              "display_name": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn",
              "target": null
            },
            {
              "id": "Tulach Malware",
              "display_name": "Tulach Malware",
              "target": null
            },
            {
              "id": "Trojan:Win32/Emotet.YL",
              "display_name": "Trojan:Win32/Emotet.YL",
              "target": "/malware/Trojan:Win32/Emotet.YL"
            },
            {
              "id": "Win32:RansomX-gen\\ [Ransom]",
              "display_name": "Win32:RansomX-gen\\ [Ransom]",
              "target": null
            },
            {
              "id": "Worm:Win32/Lightmoon.H",
              "display_name": "Worm:Win32/Lightmoon.H",
              "target": "/malware/Worm:Win32/Lightmoon.H"
            },
            {
              "id": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB",
              "display_name": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            }
          ],
          "industries": [
            "Civilian Society",
            "Technology",
            "Healthcare",
            "Telecommunications",
            "Media"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 50,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 891,
            "FileHash-MD5": 2368,
            "FileHash-SHA1": 1873,
            "FileHash-SHA256": 5092,
            "domain": 648,
            "hostname": 557,
            "CVE": 8,
            "email": 2
          },
          "indicator_count": 11439,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "620 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b80a20bbcd0eb305a740ec",
          "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-29T20:27:12.899000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65a76c2901b34c79a681596d",
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "835 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a77c6a22a236495c4548d6",
          "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.'  PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-17T07:06:18.453000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "remote",
            "malvertizing",
            "spying",
            "cyber stalking"
          ],
          "references": [
            "https://tulach.cc/",
            "go.sabey.com",
            "sabey.com",
            "cellebrite.com",
            "https://cellebrite.com/en/federal-government/  [Pegasus ck privilege collection]",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "remote.aciscomputers.com",
            "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY&region=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
            "114.114.114.114 [Tulach]",
            "nr-data.net [Apple Private Data Collection]",
            "defenselawyernj.com",
            "attorney-marketing-specialists.com ?",
            "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
            "http://www.apple.com/appleca/AppleIncRootCertificate.cer",
            "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
            "https://t.me/hermitspyware/24",
            "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
            "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
            "http://watchhers.net/index.php [remote attackers | malware spreader]",
            "api-stage.pornhub.com",
            "newbrazzers.com [y8.com]",
            "www.videolan.org [info solutions]",
            "www2.blackbagtech.com [hidden users included]",
            "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
            "http://pegasus.diskel.co.uk/ [phishing]",
            "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
            "fds.cellebrite.com",
            "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
            "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
            "http://download.virtualbox.org/virtualbox/debian",
            "match.pegasus.isi.edu",
            "asp.net",
            "http://dropbox.com/ [ intrusions/ dropbox stealer]"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Trojan:Win32/Comspec",
              "display_name": "Trojan:Win32/Comspec",
              "target": "/malware/Trojan:Win32/Comspec"
            },
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1588.004",
              "name": "Digital Certificates",
              "display_name": "T1588.004 - Digital Certificates"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1546.015",
              "name": "Component Object Model Hijacking",
              "display_name": "T1546.015 - Component Object Model Hijacking"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            }
          ],
          "industries": [
            "Individual",
            "Patient",
            "Healthcare",
            "Survivor"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 23,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3157,
            "domain": 2903,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13639,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "835 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a76c2901b34c79a681596d",
          "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following ,  being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-17T05:56:57.948000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 20,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 221,
          "modified_text": "835 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659560d63178b32f07838efb",
          "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|",
          "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering,  spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.",
          "modified": "2024-02-02T12:04:41.638000",
          "created": "2024-01-03T13:27:50.685000",
          "tags": [
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "hostnames",
            "urls https",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "unsafeeval",
            "path",
            "expiressat",
            "auto",
            "wheels online",
            "o tires",
            "shop tires",
            "html info",
            "title shop",
            "tires",
            "meta tags",
            "big o",
            "tires language",
            "name verdict",
            "falcon sandbox",
            "samples",
            "localappdata",
            "json data",
            "temp",
            "getprocaddress",
            "ascii text",
            "windir",
            "file",
            "indicator",
            "mitre att",
            "ck id",
            "factory",
            "hybrid",
            "model",
            "comspec",
            "ssl certificate",
            "whois record",
            "execution",
            "contacted",
            "historical ssl",
            "whois whois",
            "simda http",
            "collections",
            "historical",
            "dropped",
            "backdoor",
            "unknown",
            "united",
            "asnone",
            "show",
            "entries",
            "search",
            "intel",
            "ms windows",
            "pe32",
            "windows nt",
            "copy",
            "write",
            "logic",
            "download",
            "malware",
            "suspicious",
            "next",
            "destination",
            "port",
            "components",
            "globalnpf",
            "china as23724",
            "music",
            "data c",
            "mexico",
            "as15169 google",
            "passive dns",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "win32",
            "united kingdom",
            "explorer",
            "xserver",
            "mtb aug",
            "location united",
            "america asn",
            "open",
            "trojan",
            "worm",
            "dataadobereader",
            "as397240",
            "msie",
            "etpro trojan",
            "virgin islands",
            "script urls",
            "creation date",
            "record value",
            "date",
            "a domains",
            "all search",
            "otx octoseek",
            "url http",
            "http",
            "related nids",
            "pulse http",
            "url https",
            "files location",
            "as20940",
            "aaaa",
            "as2914 ntt",
            "canada unknown",
            "japan unknown",
            "as16625 akamai",
            "domain",
            "hostname",
            "gmt content",
            "gmt report",
            "0 report",
            "sea alt",
            "body",
            "encrypt",
            "social engineering",
            "revenge rat",
            "rat",
            "identity theft",
            "credit card",
            "referrer",
            "communicating",
            "bundled",
            "family",
            "roots",
            "lolkek",
            "tzw variants",
            "quasar rat",
            "dark power",
            "swisyn",
            "wiper",
            "ransomware",
            "cobalt strike",
            "attack",
            "core",
            "emotet",
            "exploit",
            "hacktool",
            "mail spammer",
            "as63949 linode",
            "mtb dec",
            "checkin m1",
            "trojanspy",
            "artro",
            "remote",
            "infostealer"
          ],
          "references": [
            "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Ukraine",
            "Georgia",
            "India",
            "Hong Kong",
            "Canada",
            "China",
            "Indonesia",
            "South Africa",
            "Germany",
            "Slovenia",
            "Mexico",
            "Netherlands",
            "Japan",
            "Spain",
            "Argentina",
            "France",
            "Chile",
            "Italy",
            "Aruba",
            "Switzerland",
            "United Kingdom of Great Britain and Northern Ireland",
            "Denmark",
            "Poland",
            "Colombia",
            "Taiwan",
            "Bulgaria",
            "Austria",
            "Russian Federation",
            "Australia",
            "Philippines",
            "Norway",
            "Sweden"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Comspec",
              "display_name": "Trojan:Win32/Comspec",
              "target": "/malware/Trojan:Win32/Comspec"
            },
            {
              "id": "#Lowfi:SCPT:KiraAsciiObfuscator",
              "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Simda",
              "display_name": "Backdoor:Win32/Simda",
              "target": "/malware/Backdoor:Win32/Simda"
            },
            {
              "id": "Crypt3.BLXP",
              "display_name": "Crypt3.BLXP",
              "target": null
            },
            {
              "id": "PWS:Win32/VB.CU",
              "display_name": "PWS:Win32/VB.CU",
              "target": "/malware/PWS:Win32/VB.CU"
            },
            {
              "id": "Trojan:MSIL/ClipBanker.GB!MTB",
              "display_name": "Trojan:MSIL/ClipBanker.GB!MTB",
              "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB"
            },
            {
              "id": "Virus:Win32/Floxif.H",
              "display_name": "Virus:Win32/Floxif.H",
              "target": "/malware/Virus:Win32/Floxif.H"
            },
            {
              "id": "Win.Packed.Zusy-7170176-0",
              "display_name": "Win.Packed.Zusy-7170176-0",
              "target": null
            },
            {
              "id": "Win.Trojan.Zbot-9880005-0",
              "display_name": "Win.Trojan.Zbot-9880005-0",
              "target": null
            },
            {
              "id": "'Win32:Trojan-gen",
              "display_name": "'Win32:Trojan-gen",
              "target": null
            },
            {
              "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
              "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
              "target": null
            },
            {
              "id": "Worm:Win32/Mofksys.B",
              "display_name": "Worm:Win32/Mofksys.B",
              "target": "/malware/Worm:Win32/Mofksys.B"
            },
            {
              "id": "Worm:Win32/Mofksys.RND!MTB",
              "display_name": "Worm:Win32/Mofksys.RND!MTB",
              "target": "/malware/Worm:Win32/Mofksys.RND!MTB"
            },
            {
              "id": "Worm:LOGO/Logic",
              "display_name": "Worm:LOGO/Logic",
              "target": "/malware/Worm:LOGO/Logic"
            },
            {
              "id": "ETPro Trojan",
              "display_name": "ETPro Trojan",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "TrojanSpy:Win32/Swisyn",
              "display_name": "TrojanSpy:Win32/Swisyn",
              "target": "/malware/TrojanSpy:Win32/Swisyn"
            },
            {
              "id": "Dark Power",
              "display_name": "Dark Power",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1546.015",
              "name": "Component Object Model Hijacking",
              "display_name": "T1546.015 - Component Object Model Hijacking"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            }
          ],
          "industries": [
            "Telecommunications"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 560,
            "FileHash-SHA1": 350,
            "FileHash-SHA256": 4371,
            "URL": 8165,
            "domain": 2548,
            "hostname": 2813,
            "CVE": 4,
            "email": 3
          },
          "indicator_count": 18814,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "848 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568ab12429c394dc4b91ea",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go",
          "description": "",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-16T21:33:37.838000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6553b88c316cfb531b9c4c10",
          "export_count": 22,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6553b88c316cfb531b9c4c10",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com",
          "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-14T18:12:28.459000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 28,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 222,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568d67bd96e06ab44b9b95",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-16T21:45:11.721000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65536bdc3676a40633a619be",
          "export_count": 25,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bdc3676a40633a619be",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:45:16.667000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 35,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bc6301b7cdf7d04e095",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:44:54.422000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65708e0601ea9f27bdebdf4b",
          "name": "Merry Christmas RUs Chasers",
          "description": "",
          "modified": "2023-12-06T15:06:45.654000",
          "created": "2023-12-06T15:06:45.654000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1727,
            "CVE": 1,
            "domain": 1477,
            "URL": 4663,
            "hostname": 1110
          },
          "indicator_count": 8978,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "906 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "62802e2a51e813c6db82758f",
          "name": "Merry Christmas RUs Chasers",
          "description": "",
          "modified": "2022-06-13T00:00:32.864000",
          "created": "2022-05-14T22:33:14.346000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1727,
            "hostname": 1110,
            "URL": 4663,
            "domain": 1477,
            "CVE": 1
          },
          "indicator_count": 8978,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 397,
          "modified_text": "1448 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "Associated w/Apple ID: http://qumoteze.apple-hk.com\tqumoteze.apple-hk.com | 17.253.142.4 | http://identity.appke.com | identity.appke.com",
        "https://viz.greynoise.io/ip/analysis/0fc0805a-ed20-4be0-b91e-f4189a9619ce",
        "https://www.virustotal.com/graph/embed/g2484756a6bca4d9ca3b636b9775705296ed6d403bdd9471aab55afb1d5448630?theme=dark",
        "Alerts: disables_system_restore infostealer_mail persistence_ifeo recon_fingerprint stealth_hidden_extension stealth_hiddenreg",
        "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]",
        "Lance Mueller Photography Artistic Portraiture || Domains || lancemueller.com/https://www.lancemueller.com/ www.instagram.com",
        "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru",
        "ELF:Mirai-TO\\ [Trj] FileHash-SHA256 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
        "http://pegasus.diskel.co.uk/ [phishing]",
        "Antivirus Detections Other:Malware-gen\\ [Trj] ,  ALF:TrojanDownloader:PowerShell/Ploprolo.DB  Alerts network_icmp nolookup_communication injection_resumethread suspicious_powershell",
        "ELF:Mirai-TO\\ [Trj] tulach.cc",
        "Win.Malware.Midie-9950743-0: Domains Contacted microsoft.com dropbox.com twitter.com sendspace.com etrade.com",
        "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom",
        "Emotet:   FileHash-SHA1 2493981a18613a750ac3165199ec030a7c00663f",
        "http://download.virtualbox.org/virtualbox/debian",
        "http://dropbox.com/ [ intrusions/ dropbox stealer]",
        "Associated w/Apple ID: 17.253.142.4 |\thttp://xn--8mrw5wsjh2jt.top | xn--8mrw5wsjh2jt.top | 17.253.142.4 | https://www.qttv.net | www.qttv.net",
        "Win.Malware.Midie-9950743-0: Domains Contacted instagram.com github.com icloud.com python.org facebook.com",
        "https://www.filescan.io/uploads/68f5e2a5c85c5c56972eaebb/reports/56841543-5615-4517-b718-77e27b2e8819/ioc",
        "IDS Detections: busybox MIORI Hackers - Possible Brute Force Attack Bad Login",
        "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
        "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com",
        "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College",
        "fds.cellebrite.com",
        "Yara Detections: is__elf",
        "Antivirus Detections: Win.Malware.Moonlight-9919383-0 ,  Worm:Win32/Lightmoon.H",
        "Apple ID: 17.253.142.4 | Reverse DNS www.applesports.webcam",
        "work.a-poster.info",
        "http://watchhers.net/index.php [remote attackers | malware spreader]",
        "home.toshiba.com",
        "Unix.Trojan.Mirai-6976991-0  FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]",
        "http://girlsandtheir.webcam/&_=1727668914786 | http://girlsandtheir.webcam/&_=1727684361432 | http://girlsandtheir.webcam/&_=1678620676912",
        "pornhub.com",
        "https://t.me/hermitspyware/24",
        "IDS Detections: Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) FormBook CnC Checkin (GET)",
        "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com",
        "Adversary: https://tulach.cc/ - Maware engineer. It's believed his malware is being used by Brian Sabey of Hall Render",
        "IDS Detections: Possible HTA Application Download Dotted Quad Host HTA Request HTTP request for .exe file with no User-Agent",
        "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
        "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us",
        "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc",
        "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0",
        "http://mobile.suddenlink2go.com/",
        "Address 198.185.159.144 ,  198.185.159.145 ,  198.49.23.144 ,  198.49.23.145",
        "Win.Packed.Enigma-10023199-0: FileHash - SHA256 2753cb6cd4b034d91a1361d5d4f643e3f45abbe249a1563e2e3bf6e7b6001cd3",
        "168.200.5.0/24: Autonomous System Number :18693 ||  Autonomous System Label UCH-CENTRAL Regional Internet Registry: ARIN: Country US",
        "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
        "Computer Forensics Malware Analysis Digital Investigations | www.forensickb.com |",
        "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
        "Associated w.Apple ID: 17.253.142.4 | https://qumoteze.apple-hk.com | http://applegiftcard.apple/ | https://identity.appke.com",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "webcam.sopris.net || https://www.chietimeteo.it/webcamabruzzo.htm savethemalesdenver.com",
        "savethemalesdenver.com | brasville.com.br?",
        "Associated w/Apple ID: http://www.ripmixburn.com/| www.ripmixburn.com | 17.253.142.4 | http://www.qttv.net |www.qttv.net | 17.253.142.4",
        "Emotet: FileHash-SHA256 0071c6eea86a219777df283cc476ca450df4b04f4c7ed0eb48fbdf3a9cf7888f",
        "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
        "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
        "api-stage.pornhub.com",
        "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
        "IDS Detections:  busybox MIORI Hackers - Infected System SUSPICIOUS Path to BusyBox",
        "https://applemusic-spotlight.myunidays.com/US/en-US?",
        "IDS Detections: Win32.Renos/Artro Trojan Checkin M1 Fakealert.ATQ/Renos.GNC Checkin AlphaCrypt CnC Beacon 5 Win32.Meredrop Checkin",
        "IDS Detections: IDS Detections SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)",
        "http://www.apple.com/appleca/AppleIncRootCertificate.cer",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "newbrazzers.com [y8.com]",
        "https://tulach.cc/",
        "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
        "Yara: Mirai_Botnet_Malware",
        "girlsandtheir.webcam - suspicious_write_exe network_icmp infostealer_keylogger process_martian injection_resumethread | parkingcrew.net  ns2.parkingcrew.net",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI",
        "https://twitter.com/PORNO_SEXYBABES",
        "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "http://www.door.net/ARISBE/arisbe.htm",
        "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "Trojan:Win32/Mydoom | apple.com | IP Address 17.253.144.10: Yara Detections EnigmaProtector ,  xor_0x8_This_program Alerts network_bind persistence_autorun antivm_generic_diskreg",
        "monitor.cablelan.net",
        "pornhub.com\t \u2022 www.pornhub.com",
        "remote.aciscomputers.com",
        "Crypt3.BWVY \u00bb forums.girlsandtheir.webcam | http://girlsandtheir.webcam/&_=1642807476815 | http://girlsandtheir.webcam/&_=1677944772349",
        "https://metadefender.com/results/file/bzI1MTAyMEJqaHhnTWEwLU1VS181QVhwNHlP",
        "CIDR: 168.200.0.0/16 NetName: UCH NetHandle: NET-168-200-0-0-1 Parent: NET168 (NET-168-0-0-0-0) NetType: Direct Allocation Organization: University of Colorado Hospital (UCHA) RegDate: 1994-06-22 Updated: 2021-12-14 Ref: https://rdap.arin.net/registry/ip/168.200.0.0 OrgName: University of Colorado Hospital OrgId: UCHA Address: 13001 East 17th Place Address: UH Fitzsimons bldg 500 5th floor east Address: Information Services City: Aurora StateProv: CO PostalCode: 80045-0505 Country:",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "IP: 198.185.159.144 Backdoor:Linux/Mirai.B || TELPER:HSTR:DotCisOffer || TrojanSpy:Win32/Nivdort || Bladabindi || TrojanDownloader:Win32/Bulilit",
        "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
        "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
        "https://www.virustotal.com/gui/collection/0d117c1338ea8314404a1bfecd2e96a4b0d48dce795cbe57d702db3eb35998e1/iocs",
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "hanmail.net",
        "ytq2rs56.haogfw.com",
        "https://176.113.115.136/ohhiiiii/",
        "Emotet: FileHash-MD5 9e78accf19de70b1e614c9bd9d9a7928",
        "myhughesnet.com",
        "Win.Malware.Midie-9950743-0 Apple IP 17.253.144.10: SHA256 8b3170934dd8efaf4335f752d4a1a1816f8be3cdba963d897b93f308fa4ab644",
        "https://viz.greynoise.io/ip/analysis/8f018fe6-9b92-4817-9dfd-e0e08177a92c - 10.29.25",
        "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive",
        "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec",
        "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
        "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY&region=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
        "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96",
        "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru  Created: Jun 19, 2016",
        "Final URL contacted when you try to visit the URL under study, after any potential redirects. https://www.chietimeteo.it/webcamabruzzo.htm Serving IP Address: 89.46.110.55",
        "cellebrite.com",
        "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
        "http://girlsandtheir.webcam/&_=167922487756 | http://girlsandtheir.webcam/&_=1678764409894 | http://girlsandtheir.webcam/&_=1679002803910",
        "go.sabey.com",
        "https://work.a-poster.info",
        "Yara Detections: Nrv2x ,  upx_3 ,  UPX_OEP_place ,  UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX",
        "Adversary: https://github.com/SamuelTulach/VirusTotalUploader",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "www.proxydocker.com Yvmc.org is hosted in United States ip detail \u00c9tats Unis (US) , (Aurora , Colorado ) links to network IP address: 168.200.5.63",
        "https://www.everycloudtech.com/free-mail-flow-monitor",
        "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
        "pornhero.net| itsyourporn.com | http://cdn.itsyourporn.com | http://cdn.itsyourporn.com/assets/images/logo.jpg.  http://cdn2.video.itsyourporn.com | https://cdn.itsyourporn.com | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com",
        "Alerts: network_icmp nolookup_communication injection_resumethread suspicious_powershell network_cnc_http",
        "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
        "http://girlsandtheir.webcam/&_=1678440394065 | http://girlsandtheir.webcam/&_=1678605911170 | http://girlsandtheir.webcam/&_=1678901115584",
        "ELF:Mirai-TO\\ [Trj] 12.111.210.191 |  United States of America ASN AS7018 att services inc",
        "https://monitor.rodgersmith.com",
        "palantir-staging.staging.candidate.app.paulsjob.ai",
        "Win.Malware.Midie Alerts: injection_inter_process injection_create_remote_thread antisandbox_sleep persistence_autorun browser_security",
        "Basic Properties Regional Internet Registry ARIN   Country US   Continent NA Whois Lookup NetRange: 168.200.0.0 - 168.200.255.255 US",
        "Title The page title. Chieti Meteo - Webcam Abruzzo",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl",
        "Yara Detections Mirai_Botnet_Malware",
        "https://www.healthonecares.com/physicians/profile/xxxxxxxxxx-MD | Attacker is tracking & hacking every service target has used.",
        "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85",
        "nr-data.net [Apple Private Data Collection]",
        "http://feeds.soundcloud.com/users/soundcloud:users:73198681/sounds.rss",
        "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO",
        "168.200.45.168 Original IP- UCHealth is jacking accounts | University of Colorado Hospital Scot.MacCabe@uchealth.org",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "Win.Malware.Midie Alerts: antisandbox_unhook infostealer_cookies  deletes_executed_files infostealer_bitcoin injection_createremotethread",
        "http://serafinipelletteria.it/riparazioni/13-borse-restauro/22-spy-bag-%C3%83%C2%A2%C3%A2%C2%82%C2%AC%C3%A2%C2%80%C2%9C-fend",
        "dishmail.net",
        "114.114.114.114",
        "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
        "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
        "https://cellebrite.com/en/federal-government/  [Pegasus ck privilege collection]",
        "www-stage40.pornhub.com",
        "defenselawyernj.com",
        "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 |  ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |",
        "Alerts: antidebug_windows infostealer_cookies persistence_autorun antivm_generic_bios deletes_executed_files",
        "www2.blackbagtech.com [hidden users included]",
        "www.videolan.org [info solutions]",
        "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru",
        "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21",
        "match.pegasus.isi.edu",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
        "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a",
        "http://girlsandtheir.webcam/&_=1679275226198 | http://girlsandtheir.webcam/&_=1679338009770| http://girlsandtheir.webcam/&_=1679628920449 No Expira http://girlsandtheir.webcam/&_=1727448919580\t  | http://girlsandtheir.webcam/&_=1727487291351 No Expiration\t0\t  URL http://girlsandtheir.webcam/&_=1727511329381 No Expiration\t0\t  URL http://girlsandtheir.webcam/&_=1727586798507 | http://girlsandtheir.webcam/&_=1727595333556  | http://girlsandtheir.webcam/&_=1727665483552",
        "Detections Executable and linking format (ELF) file download Over HTTP",
        "IDS Detections: CryptoWall Check-in Net-Worm.Win32.Koobface.jxs Checkin AlphaCrypt CnC Beacon 6 Koobface HTTP Request",
        "appleaustralia.com",
        "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
        "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
        "https://polyswarm.network/scan/results/file/3a069ad7325feb0cc4d18ef7347ebdbed6290c2285634a2b43e07c7c6a759451",
        "https://viz.greynoise.io/ip/analysis/450bed8c-fc0d-48cb-aebe-56941da4886b - 11.26.25",
        "ELF:Mirai-TO\\ [Trj] UCH/PU_Log_ID/Locked_Scr [168.200.5.63] || http://itsupport.uchealth.org/ ||  [Trj] http://itsupport.uchealth.org/",
        "chatluongvn.tk - use of targeted surveillance intended to spy on members of civil society, suppress dissent, crime victims & monitor journalists.",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "https://www.virustotal.com/graph/embed/gdeb33b2284ec47739ae15daaf7a0ade8669439cc0f81433d9540e26c7831debc?theme=dark",
        "asp.net",
        "attorney-marketing-specialists.com ?",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
        "sabey.com",
        "ELF:Mirai-TO\\ [Trj] FileHash-SHA256. 09c0d1671fd9da396c13456d552a884a582aa194c8739a97ee18928c001bbbca",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA256 00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32",
        "114.114.114.114 [Tulach]"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Frank Di MuccioSGT",
            "busybox MIORI Hackers"
          ],
          "malware_families": [
            "Artro",
            "Win.packed.zusy-7170176-0",
            "Backdoor:win32/tofsee",
            "Win.packer.pkr_ce1a-9980177-0",
            "Trojanspy",
            "Backdoor:win32/bladabindi",
            "Worm:win32/lightmoon.h",
            "Cl0p",
            "Hallrender",
            "Trojan:win32/comspec",
            "Win32:ransomx-gen\\ [ransom]",
            "Virus:win32/floxif.h",
            "#lowfienabledtcontinueafterunpacking",
            "Alf:e5",
            "Cerber ransomware",
            "Inject3.qgy",
            "'win32:trojan-gen",
            "Sabey",
            "Trojanspy:win32/nivdort",
            "Alf:trojan:win32/cassini_f28c33a2",
            "Quasar rat",
            "Tulach",
            "Backdoor:win32/simda",
            "Telper:hstr:dotcisoffer",
            "Kimsuky",
            "Win.trojan.zbot-9880005-0",
            "Maltiverse",
            "Trojandownloader:win32/bulilit",
            "Trojan:msil/clipbanker.gb!mtb",
            "Mirai",
            "Botnet",
            "Emotet",
            "Crypt3.blxp",
            "Trojan:win32/emotet.arj!mtb",
            "Inmortal",
            "Tel:trojandownloader:o97m/msiexecabuse",
            "Apnic",
            "Cobalt strike",
            "Alf:trojan:win32/flystudio.pa!mtb",
            "Et",
            "Elf:mirai-to\\ [trj]",
            "Worm:win32/mofksys.rnd!mtb",
            "Backdoor:linux/mirai.b",
            "Trojan:win32/emotet.yl",
            "Exodus",
            "Ddos:linux/lightaidra",
            "Virtool:win32/obfuscator",
            "Roblox",
            "Alf:trojandownloader:powershell/ploprolo.db",
            "Psw.generic12.wio",
            "Trojanspy:win32/swisyn",
            "Dark power",
            "Lolkek",
            "Sf:shellcode-au\\ [trj]",
            "Virtool:win32/tofsee",
            "Hacktool",
            "Etpro",
            "Trojandownloader:win32/cutwail",
            "Tofsee",
            "#lowfi:scpt:kiraasciiobfuscator",
            "Alf:heraklezeval:worm:win32/mimail!rfn",
            "Etpro trojan",
            "Pws:win32/vb.cu",
            "Trojan:win32/glupteba",
            "Elf:hajime-q",
            "Muldrop",
            "Nod32",
            "Tulach malware",
            "Kelihos",
            "Win.malware.midie-9950743-0",
            "Worm:logo/logic",
            "Ransomware",
            "Trojan:win32/skeeyah",
            "Win.trojan.tofsee-6840338-0",
            "Worm:win32/mofksys.b",
            "Pws:win32/raven",
            "Domains",
            "Nids",
            "Win.malware.snojan-6775202-0"
          ],
          "industries": [
            "Government",
            "Civilian society",
            "Energy",
            "Telecommunications",
            "Survivor",
            "Technology",
            "Media",
            "Healthcare",
            "Individual",
            "Education",
            "Patient"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 30,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "22 hours ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f2dc7e076cbfe2d0f7eb90",
      "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
      "description": "",
      "modified": "2026-05-30T00:28:12.957000",
      "created": "2026-04-30T04:37:18.870000",
      "tags": [
        "united",
        "as397240",
        "search",
        "showing",
        "as54113",
        "as397241",
        "unknown",
        "moved",
        "creation date",
        "record value",
        "next",
        "date",
        "body",
        "a domains",
        "passive dns",
        "formbook cnc",
        "checkin",
        "entries",
        "github pages",
        "sea x",
        "accept",
        "status",
        "name servers",
        "certificate",
        "urls",
        "aaaa",
        "cname",
        "meta",
        "whitelisted ip",
        "address",
        "location united",
        "asn as36459",
        "github",
        "less whois",
        "registrar",
        "markmonitor",
        "related tags",
        "as36459",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "pulse pulses",
        "files",
        "ninite",
        "expiration date",
        "domain",
        "hostname",
        "sha256",
        "sha1",
        "ascii text",
        "pattern match",
        "document file",
        "v2 document",
        "utf8",
        "crlf line",
        "beginstring",
        "size",
        "null",
        "hybrid",
        "refresh",
        "span",
        "local",
        "click",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "contact",
        "url https",
        "tulach type",
        "role title",
        "added active",
        "pulses url",
        "url http",
        "nextc type",
        "type indicator",
        "related pulses",
        "filehashsha256",
        "copyright",
        "ipv6",
        "germany",
        "italy",
        "trojan",
        "trojanspy",
        "worm",
        "trojanclicker",
        "virtool",
        "service",
        "linux x8664",
        "khtml",
        "gecko",
        "veryhigh",
        "redirect",
        "httpsupgrades",
        "collisionbox",
        "runner",
        "gameoverpanel",
        "trex",
        "orgtechhandle",
        "orgtechref",
        "director",
        "university",
        "nethandle",
        "net168",
        "net1680000",
        "ucha",
        "orgid",
        "east",
        "report spam",
        "as8075",
        "servers",
        "secure server",
        "error all",
        "typeof",
        "error f",
        "crazy doll",
        "created",
        "filehashmd5",
        "types of",
        "russia",
        "emotet type",
        "mirai type",
        "mirai",
        "mtb description",
        "win32 type",
        "as31034 aruba",
        "italy unknown",
        "as19527 google",
        "encrypt",
        "health type",
        "miori hackers",
        "brute force",
        "backdoor",
        "aurora",
        "ip address",
        "path",
        "unis",
        "dotcisoffer",
        "bladabindi",
        "artro",
        "script urls",
        "as46606",
        "brazil unknown",
        "as11284",
        "as10906",
        "apache",
        "lanc type",
        "telper",
        "win32",
        "win64",
        "pulses email",
        "as9009 m247",
        "as7296 alchemy",
        "as14061",
        "as16276",
        "trojandropper",
        "ransom",
        "mtb sep",
        "msie",
        "chrome",
        "ip check",
        "gmt content",
        "pulse submit",
        "url analysis",
        "files ip",
        "aaaa nxdomain",
        "nxdomain",
        "a nxdomain",
        "as22612",
        "dnssec",
        "meta http",
        "accept encoding",
        "request id",
        "united kingdom",
        "div div",
        "arial helvetica",
        "emails",
        "as15169 google",
        "cryp",
        "gmt cache",
        "sameorigin",
        "domain name",
        "code",
        "false",
        "command type",
        "roleselfservice",
        "mcig sep",
        "all search",
        "author avatar",
        "days ago",
        "http",
        "related nids",
        "files location",
        "as30081",
        "gmt contenttype",
        "mozilla",
        "as15133 verizon",
        "whitelisted",
        "meta name",
        "robots content",
        "x ua",
        "ieedge chrome1",
        "incapsula",
        "request",
        "softcnapp",
        "overview ip",
        "flag united",
        "files related",
        "as62597 nsone",
        "as31898 oracle",
        "mtb aug",
        "class",
        "twitter",
        "april",
        "secure",
        "httponly",
        "expiresthu",
        "pragma",
        "as13414 twitter",
        "smoke loader",
        "reverse dns",
        "asnone united",
        "idlogin sep",
        "uid38009",
        "expiration",
        "hack type",
        "porn type"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Italy",
        "Aruba"
      ],
      "malware_families": [
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "Artro",
          "display_name": "Artro",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1110",
          "name": "Brute Force",
          "display_name": "T1110 - Brute Force"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "66fc29a49b5ac693c8d75122",
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 3851,
        "FileHash-MD5": 6012,
        "FileHash-SHA1": 5906,
        "domain": 3330,
        "email": 33,
        "hostname": 4231,
        "CVE": 2,
        "FileHash-SHA256": 8407,
        "CIDR": 2,
        "SSLCertFingerprint": 7
      },
      "indicator_count": 31781,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d6c7fec016b76d49ed95ae",
      "name": "VirusTotal report\n                    for index.html",
      "description": "shatter",
      "modified": "2026-05-08T22:06:56.603000",
      "created": "2026-04-08T21:26:22.351000",
      "tags": [
        "performs dns",
        "united",
        "https",
        "found",
        "tls version",
        "mitre attack",
        "network info",
        "processes extra",
        "urls",
        "t1055 process",
        "phishing",
        "next",
        "script",
        "doctype html",
        "variablece2034",
        "head"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1189",
          "name": "Drive-by Compromise",
          "display_name": "T1189 - Drive-by Compromise"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 442,
        "FileHash-MD5": 245,
        "FileHash-SHA1": 201,
        "FileHash-SHA256": 573,
        "URL": 570,
        "hostname": 1058,
        "email": 3,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 3094,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "22 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f2dc7db0bb5c5cdaec5a6c",
      "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
      "description": "",
      "modified": "2026-04-30T04:53:09.713000",
      "created": "2026-04-30T04:37:17.546000",
      "tags": [
        "united",
        "as397240",
        "search",
        "showing",
        "as54113",
        "as397241",
        "unknown",
        "moved",
        "creation date",
        "record value",
        "next",
        "date",
        "body",
        "a domains",
        "passive dns",
        "formbook cnc",
        "checkin",
        "entries",
        "github pages",
        "sea x",
        "accept",
        "status",
        "name servers",
        "certificate",
        "urls",
        "aaaa",
        "cname",
        "meta",
        "whitelisted ip",
        "address",
        "location united",
        "asn as36459",
        "github",
        "less whois",
        "registrar",
        "markmonitor",
        "related tags",
        "as36459",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "pulse pulses",
        "files",
        "ninite",
        "expiration date",
        "domain",
        "hostname",
        "sha256",
        "sha1",
        "ascii text",
        "pattern match",
        "document file",
        "v2 document",
        "utf8",
        "crlf line",
        "beginstring",
        "size",
        "null",
        "hybrid",
        "refresh",
        "span",
        "local",
        "click",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "contact",
        "url https",
        "tulach type",
        "role title",
        "added active",
        "pulses url",
        "url http",
        "nextc type",
        "type indicator",
        "related pulses",
        "filehashsha256",
        "copyright",
        "ipv6",
        "germany",
        "italy",
        "trojan",
        "trojanspy",
        "worm",
        "trojanclicker",
        "virtool",
        "service",
        "linux x8664",
        "khtml",
        "gecko",
        "veryhigh",
        "redirect",
        "httpsupgrades",
        "collisionbox",
        "runner",
        "gameoverpanel",
        "trex",
        "orgtechhandle",
        "orgtechref",
        "director",
        "university",
        "nethandle",
        "net168",
        "net1680000",
        "ucha",
        "orgid",
        "east",
        "report spam",
        "as8075",
        "servers",
        "secure server",
        "error all",
        "typeof",
        "error f",
        "crazy doll",
        "created",
        "filehashmd5",
        "types of",
        "russia",
        "emotet type",
        "mirai type",
        "mirai",
        "mtb description",
        "win32 type",
        "as31034 aruba",
        "italy unknown",
        "as19527 google",
        "encrypt",
        "health type",
        "miori hackers",
        "brute force",
        "backdoor",
        "aurora",
        "ip address",
        "path",
        "unis",
        "dotcisoffer",
        "bladabindi",
        "artro",
        "script urls",
        "as46606",
        "brazil unknown",
        "as11284",
        "as10906",
        "apache",
        "lanc type",
        "telper",
        "win32",
        "win64",
        "pulses email",
        "as9009 m247",
        "as7296 alchemy",
        "as14061",
        "as16276",
        "trojandropper",
        "ransom",
        "mtb sep",
        "msie",
        "chrome",
        "ip check",
        "gmt content",
        "pulse submit",
        "url analysis",
        "files ip",
        "aaaa nxdomain",
        "nxdomain",
        "a nxdomain",
        "as22612",
        "dnssec",
        "meta http",
        "accept encoding",
        "request id",
        "united kingdom",
        "div div",
        "arial helvetica",
        "emails",
        "as15169 google",
        "cryp",
        "gmt cache",
        "sameorigin",
        "domain name",
        "code",
        "false",
        "command type",
        "roleselfservice",
        "mcig sep",
        "all search",
        "author avatar",
        "days ago",
        "http",
        "related nids",
        "files location",
        "as30081",
        "gmt contenttype",
        "mozilla",
        "as15133 verizon",
        "whitelisted",
        "meta name",
        "robots content",
        "x ua",
        "ieedge chrome1",
        "incapsula",
        "request",
        "softcnapp",
        "overview ip",
        "flag united",
        "files related",
        "as62597 nsone",
        "as31898 oracle",
        "mtb aug",
        "class",
        "twitter",
        "april",
        "secure",
        "httponly",
        "expiresthu",
        "pragma",
        "as13414 twitter",
        "smoke loader",
        "reverse dns",
        "asnone united",
        "idlogin sep",
        "uid38009",
        "expiration",
        "hack type",
        "porn type"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Italy",
        "Aruba"
      ],
      "malware_families": [
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "Artro",
          "display_name": "Artro",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1110",
          "name": "Brute Force",
          "display_name": "T1110 - Brute Force"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "66fc29a49b5ac693c8d75122",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 3851,
        "FileHash-MD5": 6012,
        "FileHash-SHA1": 5906,
        "domain": 3330,
        "email": 33,
        "hostname": 4231,
        "CVE": 2,
        "FileHash-SHA256": 8407,
        "CIDR": 2,
        "SSLCertFingerprint": 7
      },
      "indicator_count": 31781,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "31 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b76c9a490b69b6a085b3",
      "name": "Exodus/cellbrite clone by Q Vashti",
      "description": "",
      "modified": "2026-03-12T12:54:04.160000",
      "created": "2026-03-12T12:54:04.160000",
      "tags": [
        "ssl certificate",
        "network",
        "malware",
        "whois record",
        "contacted",
        "pegasus",
        "resolutions",
        "communicating",
        "sa victim",
        "assaulter",
        "quasar",
        "brian sabey",
        "go.sabey",
        "ioc search",
        "new ioc",
        "teams api",
        "contact",
        "threat analyzer",
        "threat",
        "paste",
        "iocs",
        "urls https",
        "samples",
        "united",
        "aaaa",
        "status",
        "susp",
        "search",
        "passive dns",
        "urls",
        "domain",
        "creation date",
        "date",
        "next",
        "show",
        "domain related",
        "feeds ioc",
        "maltiverse",
        "analyze",
        "scan endpoints",
        "all octoseek",
        "url https",
        "pulse pulses",
        "http",
        "ip address",
        "related nids",
        "files location",
        "all search",
        "otx octoseek",
        "hostname",
        "pulse submit",
        "url analysis",
        "files",
        "china unknown",
        "as4134 chinanet",
        "unknown",
        "name servers",
        "showing",
        "namesilo",
        "domain name",
        "dynadot llc",
        "as8075",
        "script urls",
        "netherlands",
        "a domains",
        "capture",
        "asnone united",
        "record value",
        "expiration date",
        "entries",
        "cname",
        "tulach",
        "algorithm",
        "v3 serial",
        "number",
        "key algorithm",
        "key identifier",
        "subject key",
        "identifier",
        "x509v3 key",
        "usage",
        "x509v3 extended",
        "info",
        "first",
        "server",
        "available from",
        "iana id",
        "registrar abuse",
        "registrar url",
        "registrar whois",
        "abuse contact",
        "email",
        "registry domain",
        "code",
        "win32 exe",
        "ufed iphone",
        "cellebrite ufed",
        "setup",
        "tjprojmain",
        "ufed4pc",
        "win32 dll",
        "detections type",
        "name",
        "responder",
        "exodus",
        "android",
        "office open",
        "xml document",
        "cellebrite",
        "type name",
        "pdf cellebrite",
        "ufed release",
        "cellbrite",
        "privilege https",
        "targets sa",
        "survivor",
        "getprocaddress",
        "indicator",
        "prefetch8",
        "mitre att",
        "ck id",
        "show technique",
        "ck matrix",
        "file",
        "pattern match",
        "observed email",
        "path",
        "factory",
        "hybrid",
        "general",
        "model",
        "comspec",
        "click",
        "title",
        "page",
        "body doctype",
        "quoth",
        "raven",
        "gmt content",
        "type",
        "vary",
        "accept",
        "october",
        "december",
        "copy",
        "execution",
        "awful",
        "referrer",
        "april",
        "kimsuky",
        "malicious",
        "crypto",
        "startpage",
        "hacktool",
        "installer",
        "tofsee",
        "historical ssl",
        "threat roundup",
        "phishing",
        "utc submissions",
        "submitters",
        "csc corporate",
        "domains",
        "twitter",
        "dropbox",
        "incapsula",
        "summary iocs",
        "graph community",
        "registrarsafe",
        "gandi sas",
        "google llc",
        "amazon02",
        "google",
        "akamaias",
        "facebook",
        "service",
        "patch",
        "namecheapnet",
        "cloudflarenet",
        "amazonaes",
        "gmo internet",
        "apple",
        "tsara brashears",
        "keylogger"
      ],
      "references": [
        "https://tulach.cc/",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://twitter.com/PORNO_SEXYBABES",
        "hanmail.net",
        "114.114.114.114",
        "work.a-poster.info",
        "www-stage40.pornhub.com",
        "go.sabey.com",
        "sabey.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Exodus",
          "display_name": "Exodus",
          "target": null
        },
        {
          "id": "Quasar RAT",
          "display_name": "Quasar RAT",
          "target": null
        },
        {
          "id": "PWS:Win32/Raven",
          "display_name": "PWS:Win32/Raven",
          "target": "/malware/PWS:Win32/Raven"
        },
        {
          "id": "Kimsuky",
          "display_name": "Kimsuky",
          "target": null
        },
        {
          "id": "VirTool:Win32/Tofsee",
          "display_name": "VirTool:Win32/Tofsee",
          "target": "/malware/VirTool:Win32/Tofsee"
        }
      ],
      "attack_ids": [
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1588",
          "name": "Obtain Capabilities",
          "display_name": "T1588 - Obtain Capabilities"
        },
        {
          "id": "T1056.001",
          "name": "Keylogging",
          "display_name": "T1056.001 - Keylogging"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "6916e098df39114161354b23",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 4295,
        "FileHash-MD5": 322,
        "FileHash-SHA1": 296,
        "FileHash-SHA256": 3255,
        "domain": 2911,
        "hostname": 2894,
        "CVE": 2,
        "email": 9,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 13986,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 65,
      "modified_text": "79 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69a5c36b78ed73550bb0bf22",
      "name": "by Disable_Duck",
      "description": "",
      "modified": "2026-03-04T23:37:24.208000",
      "created": "2026-03-02T17:05:47.288000",
      "tags": [
        "kgs0",
        "kls0",
        "botname http",
        "entity",
        "UAlberta",
        "Telus",
        "Norton",
        "ffss",
        "Alberta",
        "AlbertaNDP",
        "InteriorHealth",
        "RCMP",
        "CrimeStoppersAB",
        "EdmontonPolice",
        "RCMP Kelowna",
        "RCMP AB",
        "TLS/SSL Crawler",
        "CVE-2026-24061 Attempt",
        "Generic IoT Default Password Attempt",
        "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
        "Dahua Backdoor Attempt",
        "ENV Crawler",
        "DCERPC Protocol",
        "Carries HTTP Referer",
        "GNU Inetutils Telnetd Auth Bypass",
        "ICMPv4 Protocol"
      ],
      "references": [
        "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
        "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
        "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Canada",
        "Netherlands",
        "Panama",
        "Poland",
        "United Kingdom of Great Britain and Northern Ireland",
        "Slovakia",
        "Aruba",
        "Anguilla",
        "Australia",
        "Costa Rica",
        "Guatemala",
        "Mexico",
        "Trinidad and Tobago",
        "Cura\u00e7ao",
        "Philippines",
        "Virgin Islands, U.S.",
        "Ukraine",
        "Barbados",
        "Germany",
        "Sint Maarten (Dutch part)",
        "Argentina",
        "Switzerland"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Healthcare",
        "Government",
        "Technology",
        "Energy",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": "6901363c4ce422f5caf0f72c",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 2,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 3903,
        "FileHash-SHA1": 4967,
        "FileHash-SHA256": 12884,
        "URL": 996,
        "domain": 987,
        "hostname": 3306,
        "email": 4,
        "CVE": 1
      },
      "indicator_count": 27048,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "87 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6901363c4ce422f5caf0f72c",
      "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
      "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
      "modified": "2026-02-18T05:00:41.494000",
      "created": "2025-10-28T21:31:40.008000",
      "tags": [
        "kgs0",
        "kls0",
        "botname http",
        "entity",
        "UAlberta",
        "Telus",
        "Norton",
        "ffss",
        "Alberta",
        "AlbertaNDP",
        "InteriorHealth",
        "RCMP",
        "CrimeStoppersAB",
        "EdmontonPolice",
        "RCMP Kelowna",
        "RCMP AB"
      ],
      "references": [
        "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
        "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Canada",
        "Netherlands",
        "Panama",
        "Poland",
        "United Kingdom of Great Britain and Northern Ireland",
        "Slovakia",
        "Aruba",
        "Anguilla",
        "Australia",
        "Costa Rica",
        "Guatemala",
        "Mexico",
        "Trinidad and Tobago",
        "Cura\u00e7ao",
        "Philippines",
        "Virgin Islands, U.S.",
        "Ukraine",
        "Barbados",
        "Germany",
        "Sint Maarten (Dutch part)"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Healthcare",
        "Government",
        "Technology",
        "Energy",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 3903,
        "FileHash-SHA1": 4967,
        "FileHash-SHA256": 12884,
        "URL": 995,
        "domain": 984,
        "hostname": 3305,
        "email": 4
      },
      "indicator_count": 27042,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 129,
      "modified_text": "102 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "695c8007f67e8b9a6bb276c5",
      "name": "export_USERS 1-14000 / 157705",
      "description": "UAlberta Azure/Entra (partial)\nRelated to Pulse 'Ghosts' [ loads into system files ]",
      "modified": "2026-02-05T03:05:05.683000",
      "created": "2026-01-06T03:22:47.101000",
      "tags": [
        "true",
        "member",
        "guest",
        "invitation",
        "emailverified",
        "notadult",
        "zhang",
        "nguyen",
        "smith",
        "andison",
        "wang",
        "yang",
        "king",
        "pandit",
        "martin",
        "hong",
        "murray",
        "davis",
        "perez",
        "kremp",
        "walker",
        "rush",
        "ding",
        "cheng",
        "jarvis",
        "casey",
        "blank",
        "jason",
        "hope",
        "shang",
        "lambert",
        "hare",
        "hustler",
        "nichols",
        "james",
        "wong",
        "patel",
        "grewal",
        "rana",
        "jaber",
        "david",
        "hawkshaw",
        "jackson",
        "hunter",
        "horn",
        "modi",
        "baixue",
        "chen",
        "reid",
        "mendoza",
        "bone",
        "dada",
        "stepan",
        "fisher",
        "roma",
        "barry",
        "moran",
        "goodwin",
        "tack",
        "baran",
        "donald",
        "pedro",
        "green",
        "dennis",
        "stop",
        "kaneria",
        "duke",
        "goli",
        "bach",
        "hwang",
        "hill",
        "mark",
        "victor",
        "pino",
        "little",
        "misa",
        "gloria",
        "mesina",
        "matta",
        "shen",
        "splinter",
        "sohana",
        "alex",
        "jean",
        "madro",
        "coco",
        "zhao",
        "support",
        "lynda",
        "daniel",
        "info",
        "brick",
        "wagner",
        "stark",
        "starr",
        "dorn",
        "repka",
        "heck",
        "park",
        "tang",
        "multiple1162021",
        "alexander",
        "gibbon",
        "calgary",
        "matthew",
        "bian",
        "shah",
        "johnson",
        "delfs",
        "morrison",
        "flood",
        "black",
        "valencia",
        "bredo",
        "singh",
        "chan",
        "ahmed",
        "salm",
        "faisal",
        "agena",
        "bella",
        "crow",
        "yurkiw",
        "xgygy0094",
        "huang",
        "trinity",
        "aris",
        "alisa",
        "cardinal",
        "wolf",
        "corona",
        "abbas",
        "rasim",
        "asher",
        "motil",
        "xena",
        "hammer",
        "hack",
        "chin",
        "odysseus",
        "otto",
        "jain",
        "joshi",
        "hole",
        "daum",
        "stack",
        "murphy",
        "leon",
        "meadwell",
        "owumi",
        "royce",
        "luna",
        "eddie",
        "stone",
        "stang",
        "code",
        "paradis",
        "zhen",
        "sood",
        "pepper",
        "mill",
        "cassidy",
        "blade",
        "minimo",
        "sweet",
        "toal"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 5,
        "domain": 243,
        "email": 14365,
        "hostname": 104
      },
      "indicator_count": 14717,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 130,
      "modified_text": "115 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6952febb1dbcf05ee601f050",
      "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)",
      "description": "",
      "modified": "2025-12-29T22:20:43.238000",
      "created": "2025-12-29T22:20:43.238000",
      "tags": [
        "ssl certificate",
        "network",
        "malware",
        "whois record",
        "contacted",
        "pegasus",
        "resolutions",
        "communicating",
        "sa victim",
        "assaulter",
        "quasar",
        "brian sabey",
        "go.sabey",
        "ioc search",
        "new ioc",
        "teams api",
        "contact",
        "threat analyzer",
        "threat",
        "paste",
        "iocs",
        "urls https",
        "samples",
        "united",
        "aaaa",
        "status",
        "susp",
        "search",
        "passive dns",
        "urls",
        "domain",
        "creation date",
        "date",
        "next",
        "show",
        "domain related",
        "feeds ioc",
        "maltiverse",
        "analyze",
        "scan endpoints",
        "all octoseek",
        "url https",
        "pulse pulses",
        "http",
        "ip address",
        "related nids",
        "files location",
        "all search",
        "otx octoseek",
        "hostname",
        "pulse submit",
        "url analysis",
        "files",
        "china unknown",
        "as4134 chinanet",
        "unknown",
        "name servers",
        "showing",
        "namesilo",
        "domain name",
        "dynadot llc",
        "as8075",
        "script urls",
        "netherlands",
        "a domains",
        "capture",
        "asnone united",
        "record value",
        "expiration date",
        "entries",
        "cname",
        "tulach",
        "algorithm",
        "v3 serial",
        "number",
        "key algorithm",
        "key identifier",
        "subject key",
        "identifier",
        "x509v3 key",
        "usage",
        "x509v3 extended",
        "info",
        "first",
        "server",
        "available from",
        "iana id",
        "registrar abuse",
        "registrar url",
        "registrar whois",
        "abuse contact",
        "email",
        "registry domain",
        "code",
        "win32 exe",
        "ufed iphone",
        "cellebrite ufed",
        "setup",
        "tjprojmain",
        "ufed4pc",
        "win32 dll",
        "detections type",
        "name",
        "responder",
        "exodus",
        "android",
        "office open",
        "xml document",
        "cellebrite",
        "type name",
        "pdf cellebrite",
        "ufed release",
        "cellbrite",
        "privilege https",
        "targets sa",
        "survivor",
        "getprocaddress",
        "indicator",
        "prefetch8",
        "mitre att",
        "ck id",
        "show technique",
        "ck matrix",
        "file",
        "pattern match",
        "observed email",
        "path",
        "factory",
        "hybrid",
        "general",
        "model",
        "comspec",
        "click",
        "title",
        "page",
        "body doctype",
        "quoth",
        "raven",
        "gmt content",
        "type",
        "vary",
        "accept",
        "october",
        "december",
        "copy",
        "execution",
        "awful",
        "referrer",
        "april",
        "kimsuky",
        "malicious",
        "crypto",
        "startpage",
        "hacktool",
        "installer",
        "tofsee",
        "historical ssl",
        "threat roundup",
        "phishing",
        "utc submissions",
        "submitters",
        "csc corporate",
        "domains",
        "twitter",
        "dropbox",
        "incapsula",
        "summary iocs",
        "graph community",
        "registrarsafe",
        "gandi sas",
        "google llc",
        "amazon02",
        "google",
        "akamaias",
        "facebook",
        "service",
        "patch",
        "namecheapnet",
        "cloudflarenet",
        "amazonaes",
        "gmo internet",
        "apple",
        "tsara brashears",
        "keylogger"
      ],
      "references": [
        "https://tulach.cc/",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://twitter.com/PORNO_SEXYBABES",
        "hanmail.net",
        "114.114.114.114",
        "work.a-poster.info",
        "www-stage40.pornhub.com",
        "go.sabey.com",
        "sabey.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Exodus",
          "display_name": "Exodus",
          "target": null
        },
        {
          "id": "Quasar RAT",
          "display_name": "Quasar RAT",
          "target": null
        },
        {
          "id": "PWS:Win32/Raven",
          "display_name": "PWS:Win32/Raven",
          "target": "/malware/PWS:Win32/Raven"
        },
        {
          "id": "Kimsuky",
          "display_name": "Kimsuky",
          "target": null
        },
        {
          "id": "VirTool:Win32/Tofsee",
          "display_name": "VirTool:Win32/Tofsee",
          "target": "/malware/VirTool:Win32/Tofsee"
        }
      ],
      "attack_ids": [
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1588",
          "name": "Obtain Capabilities",
          "display_name": "T1588 - Obtain Capabilities"
        },
        {
          "id": "T1056.001",
          "name": "Keylogging",
          "display_name": "T1056.001 - Keylogging"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "65b80a20bbcd0eb305a740ec",
      "export_count": 40582,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 4101,
        "FileHash-MD5": 322,
        "FileHash-SHA1": 296,
        "FileHash-SHA256": 3155,
        "domain": 2894,
        "hostname": 2847,
        "CVE": 2,
        "email": 9,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 13628,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "152 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68f5d903f30204d7740b4674",
      "name": "FFSS - Impacts of University Leadership (U of A) on Global EDU & Healthcare - 11.26.25",
      "description": "FFSS - Impacts of University Leadership (U of A) on Global EDU & Healthcare\nA missing piece of the puzzle. Redacted PII/PHI. \nRedacted specific users, but contains a list of URLs, IPs, and domains",
      "modified": "2025-12-26T19:00:31.552000",
      "created": "2025-10-20T06:38:59.827000",
      "tags": [
        "lgxzvz0r",
        "entity",
        "please",
        "javascript",
        "Education",
        "Technology",
        "University",
        "Healthcare"
      ],
      "references": [
        "https://www.virustotal.com/graph/embed/gdeb33b2284ec47739ae15daaf7a0ade8669439cc0f81433d9540e26c7831debc?theme=dark",
        "https://www.virustotal.com/gui/collection/0d117c1338ea8314404a1bfecd2e96a4b0d48dce795cbe57d702db3eb35998e1/iocs",
        "https://www.virustotal.com/graph/embed/g2484756a6bca4d9ca3b636b9775705296ed6d403bdd9471aab55afb1d5448630?theme=dark",
        "https://viz.greynoise.io/ip/analysis/0fc0805a-ed20-4be0-b91e-f4189a9619ce",
        "https://www.filescan.io/uploads/68f5e2a5c85c5c56972eaebb/reports/56841543-5615-4517-b718-77e27b2e8819/ioc",
        "https://polyswarm.network/scan/results/file/3a069ad7325feb0cc4d18ef7347ebdbed6290c2285634a2b43e07c7c6a759451",
        "https://metadefender.com/results/file/bzI1MTAyMEJqaHhnTWEwLU1VS181QVhwNHlP",
        "https://viz.greynoise.io/ip/analysis/8f018fe6-9b92-4817-9dfd-e0e08177a92c - 10.29.25",
        "https://viz.greynoise.io/ip/analysis/450bed8c-fc0d-48cb-aebe-56941da4886b - 11.26.25"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Healthcare",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 2,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 865,
        "hostname": 460,
        "URL": 1031,
        "FileHash-MD5": 3509,
        "email": 5,
        "FileHash-SHA1": 12,
        "FileHash-SHA256": 12
      },
      "indicator_count": 5894,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 130,
      "modified_text": "155 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "juno.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "juno.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780212800.3487124
}