{
"type": "Domain",
"indicator": "mailstack.sbs",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/mailstack.sbs",
"alexa": "http://www.alexa.com/siteinfo/mailstack.sbs",
"indicator": "mailstack.sbs",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 4135509623,
"indicator": "mailstack.sbs",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 24,
"pulses": [
{
"id": "69ded8198b25581a09b90824",
"name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration",
"description": "",
"modified": "2026-04-15T00:13:13.981000",
"created": "2026-04-15T00:13:13.981000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "4 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db05f833d3d6d2231fb201",
"name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti",
"description": "",
"modified": "2026-04-12T02:39:52.993000",
"created": "2026-04-12T02:39:52.993000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69dab27a0493e0e80a0f35cd",
"name": "SearchSuite \u2022 Healthcare Administration",
"description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.",
"modified": "2026-04-11T20:43:38.695000",
"created": "2026-04-11T20:43:38.695000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ca31b28c2fa3e734bf5000",
"name": "instagram staged credit clone a vashti :(",
"description": "",
"modified": "2026-03-31T12:16:21.521000",
"created": "2026-03-30T08:17:54.205000",
"tags": [
"dynamicloader",
"port",
"destination",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"write",
"stream",
"malware",
"systemroot",
"write c",
"displayname",
"windows",
"trojan",
"defender",
"unknown",
"less see",
"all ip",
"contacted",
"less related",
"meta",
"emotet",
"backdoor",
"packer",
"many",
"hall render",
"brian sabey",
"christopher p. ahmann",
"state of colorado",
"google",
"yahoo",
"microsoft",
"stealth window",
"reads_self",
"injection write process",
"remote",
"remote process",
"dynamic function loading",
"compromises device",
"dead connect",
"dynamic loader",
"command",
"cnc",
"sleep sandbox",
"iocontrol",
"behavior tofsee",
"suspicious code",
"injection",
"persistence",
"rootkit",
"social media",
"belgium belgium",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"network traffic",
"t1071",
"spawns",
"html content",
"href",
"general",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"development att",
"tracking"
],
"references": [
"Instagram.com",
"IDS Detections: tofsee",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Emotet.YL",
"display_name": "Trojan:Win32/Emotet.YL",
"target": "/malware/Trojan:Win32/Emotet.YL"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6949b6d8180bca3df9783578",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 911,
"domain": 178,
"hostname": 206,
"FileHash-SHA256": 647,
"FileHash-MD5": 38,
"FileHash-SHA1": 28
},
"indicator_count": 2008,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6967bc8b26b69d4dc2604a13",
"name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT",
"description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.",
"modified": "2026-02-13T15:04:30.631000",
"created": "2026-01-14T15:55:55.693000",
"tags": [
"v2rayalpha",
"united",
"unknown ns",
"unknown aaaa",
"domain add",
"urls",
"files",
"domain",
"github",
"file format",
"jkvpn",
"jointelegram",
"farahvpn vless",
"post",
"universal",
"scribd",
"typews",
"telegram",
"rdap",
"handle",
"iana registrar",
"roles",
"dnssec",
"aaaa",
"ttl value",
"rdap database",
"links",
"backdoor",
"antigua",
"virgin islands",
"status",
"org domains",
"proxy",
"ip address",
"barbuda unknown",
"passive dns",
"ipv4 add",
"twitter",
"dynamicloader",
"port",
"delete c",
"destination",
"high",
"windows",
"medium",
"displayname",
"write",
"tofsee",
"stream",
"malware",
"push",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"evasion att",
"sha256",
"sha1",
"pattern match",
"ascii text",
"href",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"search",
"moved",
"record value",
"servers",
"title",
"encrypt",
"canada unknown",
"gmt content",
"reverse dns",
"location canada",
"canada asn",
"accept",
"cookie",
"dll read",
"function read",
"wscriptshell",
"shortcut",
"guard",
"error",
"present jan",
"name servers",
"registrar url",
"hong kong",
"invalid url",
"url analysis",
"location hong",
"kong flag",
"msie",
"chrome",
"type",
"media type",
"certificate",
"hostname add",
"present nov",
"present sep",
"present oct",
"expiration date",
"present dec",
"script urls",
"a domains",
"present mar",
"present feb",
"meta",
"show",
"read c",
"entries",
"read",
"intel",
"ms windows",
"delete",
"please",
"artemis",
"virustotal",
"trojan",
"mcafee",
"drweb",
"vipre",
"panda",
"write c",
"total",
"next associated",
"thursday",
"gmt cache",
"ipv4",
"form",
"date",
"mirai",
"telnet login",
"south korea",
"bad login",
"as4766 korea",
"taiwan as3462",
"china as45090",
"telnet root",
"cve201717215",
"execution",
"copy",
"contacted",
"mtb ids",
"dns query",
"variant cnc",
"domain huawei",
"remote command",
"huawei remote",
"echobot",
"linux mirai",
"monitoring",
"cnc"
],
"references": [
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://t.me/",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Contacted: newmethcnc.duckdns.org",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"https://eurotarget.com/it/auto/toyota/c-hr/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Malware.Reline-9887776-0",
"display_name": "Win.Malware.Reline-9887776-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.N!MTB",
"display_name": "Backdoor:Linux/Mirai.N!MTB",
"target": "/malware/Backdoor:Linux/Mirai.N!MTB"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1399",
"name": "Modify Trusted Execution Environment",
"display_name": "T1399 - Modify Trusted Execution Environment"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1011.001",
"name": "Exfiltration Over Bluetooth",
"display_name": "T1011.001 - Exfiltration Over Bluetooth"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6227,
"domain": 1437,
"hostname": 2331,
"email": 8,
"FileHash-SHA256": 3252,
"FileHash-MD5": 465,
"FileHash-SHA1": 457,
"CIDR": 1,
"CVE": 3
},
"indicator_count": 14181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6963596c4cd594b77b4675ec",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
"description": "",
"modified": "2026-02-10T06:05:39.764000",
"created": "2026-01-11T08:03:56.534000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": "693cdc5b8ebc10664439c2fb",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "693cdc5b8ebc10664439c2fb",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
"description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
"modified": "2026-02-10T06:05:39.764000",
"created": "2025-12-13T03:24:11.414000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6962d43456bb524b17e9d5ce",
"name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ",
"description": "",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T22:35:32.582000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6962bb143187f7cb571ef6f5",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6962bb143187f7cb571ef6f5",
"name": "Pahamify Pegasus",
"description": "Hmmm, only able to manually add IOC\u2019s after last pulse.\n\nPulse: Pahamify Pegasus - Apple IOC\u2019s",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T20:48:20.438000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695555b664c8998371393b8f",
"name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App",
"description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie",
"modified": "2026-01-30T16:01:37.437000",
"created": "2025-12-31T16:56:22.577000",
"tags": [
"espaol",
"metro pcs",
"metro",
"english",
"data",
"privacy",
"learn",
"requires",
"strong",
"see all",
"bernie",
"mint",
"never",
"example",
"click",
"indonesia",
"\u2019m",
"win32mydoom dec",
"united",
"trojan",
"name servers",
"servers",
"expiration date",
"backdoor",
"found",
"passive dns",
"gmt connection",
"control",
"content type",
"twitter",
"title",
"aaaa",
"ember cli",
"ember view",
"certificate",
"win32",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"urls",
"akamai",
"unknown ns",
"domain",
"search",
"ipv4",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"dynamicloader",
"port",
"high",
"medium",
"windows",
"displayname",
"write",
"destination",
"tofsee",
"stream",
"malware",
"hostile",
"read c",
"show",
"rgba",
"unicode",
"whitelisted",
"memcommit",
"delete",
"execution",
"dock",
"persistence",
"msie",
"chrome",
"ip address",
"otx telemetry",
"unknown soa",
"gmt content",
"for privacy",
"moved",
"record value",
"ubuntu date",
"encrypt",
"a domains",
"welcome",
"type",
"content length",
"ipv4 add",
"url analysis",
"accept",
"overview domain",
"files ip",
"address",
"location france",
"asn as16276",
"tags none",
"indicator facts",
"historical otx",
"france unknown",
"ovhcloud meta",
"domain add",
"present dec",
"status",
"service",
"win32cutwail",
"setcookie",
"gmt server",
"refloadapihash",
"virtool",
"present nov",
"present oct",
"all ipv4",
"hostname",
"present jul",
"saudi arabia",
"present mar",
"present jun",
"present feb",
"entries",
"france asn",
"asn as16509",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"hybrid",
"local",
"path",
"strings",
"delete c",
"okrndate",
"grum",
"powershell",
"pegasus",
"unknown",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"push",
"autorun",
"suspicious",
"pulse pulses",
"date",
"music",
"apple",
"apple id",
"show process",
"flag",
"markmonitor",
"name tactics",
"informative",
"command",
"adversaries",
"spawns",
"access att",
"t1566 phishing",
"zerobits",
"allocationtype",
"protect",
"programfiles",
"processhandle",
"commitsize",
"viewsize",
"regionsize",
"handles modules",
"files amsi",
"filehandle",
"path filehandle",
"porthandle",
"copy md5",
"copy sha1",
"copy sha256",
"href",
"null",
"refresh",
"body",
"span",
"general",
"error",
"tools",
"look",
"verify",
"restart",
"html",
"x22scriptx22",
"binary file",
"t1189",
"cyberwarfare",
"brian sabey",
"never say anything",
"christopher ahmann",
"colorado state",
"quasi",
"zombie device",
"present may",
"emails",
"exif standard",
"tiff image",
"windows nt",
"wow64",
"slcc2",
"media center",
"jpeg image",
"copy",
"next",
"pecompact",
"february",
"packer",
"delphi",
"code",
"tlsv1",
"ogoogle trust",
"xserver",
"lowfi",
"creation date",
"domain name",
"showing",
"ids detections",
"yara detections",
"worm",
"arial",
"present aug",
"meta",
"dns domain",
"site",
"free dns",
"msil",
"dnssec",
"penetration",
"injections",
"dead host"
],
"references": [
"https://apps.apple.com/app/",
"metropcs.com/account/sign-in.html",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://freedns.afraid.org/images/exclamation",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"admin@bigtits.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "\u2019m",
"display_name": "\u2019m",
"target": null
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Trojan.Installcore-877",
"display_name": "Win.Trojan.Installcore-877",
"target": null
},
{
"id": "Win.Downloader.Small",
"display_name": "Win.Downloader.Small",
"target": null
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Tibs",
"display_name": "Tibs",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/4Shared",
"display_name": "ALF:JASYP:PUA:Win32/4Shared",
"target": null
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1577",
"name": "Compromise Application Executable",
"display_name": "T1577 - Compromise Application Executable"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1863,
"URL": 4952,
"FileHash-SHA256": 1990,
"FileHash-MD5": 981,
"FileHash-SHA1": 791,
"email": 26,
"domain": 1277,
"SSLCertFingerprint": 24
},
"indicator_count": 11904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "78 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6949b6d8180bca3df9783578",
"name": "Instagram (staged) Emotet & Tofsee Backdoor",
"description": "If you choose to read this, I apologize for the riddle.Pegasus like tracking operation.\nAdversarial attack on a private citizens or (possibly staged instagram account). The citizen is not a known target. Attacks appear to arise from same internet criminals, allegedly State of Colorado employees engaged in permissible criminal behavior. Account does belongs to a person in sphere of a known monitored target. Target naturally has no communication with account holder. Known target had been invited to be Facebook friends of infected account holder multiple times, both target and associate declined and blocked this infected account holder. |\n\n* Infected Instagram account holders husband referred target to a Colorado Law Firm. The Law firm was attacked some time ago. | \n***Infected instagram account holder name is redacted. Is being tracked :(",
"modified": "2026-01-21T20:01:56.174000",
"created": "2025-12-22T21:23:36.083000",
"tags": [
"dynamicloader",
"port",
"destination",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"write",
"stream",
"malware",
"systemroot",
"write c",
"displayname",
"windows",
"trojan",
"defender",
"unknown",
"less see",
"all ip",
"contacted",
"less related",
"meta",
"emotet",
"backdoor",
"packer",
"many",
"hall render",
"brian sabey",
"christopher p. ahmann",
"state of colorado",
"google",
"yahoo",
"microsoft",
"stealth window",
"reads_self",
"injection write process",
"remote",
"remote process",
"dynamic function loading",
"compromises device",
"dead connect",
"dynamic loader",
"command",
"cnc",
"sleep sandbox",
"iocontrol",
"behavior tofsee",
"suspicious code",
"injection",
"persistence",
"rootkit",
"social media",
"belgium belgium",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"network traffic",
"t1071",
"spawns",
"html content",
"href",
"general",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"development att",
"tracking"
],
"references": [
"Instagram.com",
"IDS Detections: tofsee",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Emotet.YL",
"display_name": "Trojan:Win32/Emotet.YL",
"target": "/malware/Trojan:Win32/Emotet.YL"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 910,
"domain": 177,
"hostname": 206,
"FileHash-SHA256": 647,
"FileHash-MD5": 38,
"FileHash-SHA1": 28
},
"indicator_count": 2006,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "87 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6944ce38344ccded23df66f5",
"name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.",
"description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .",
"modified": "2026-01-18T03:05:59.836000",
"created": "2025-12-19T04:02:00.973000",
"tags": [
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"free",
"benjamin",
"write",
"worm",
"win32",
"code",
"june",
"delphi",
"malware",
"benjamin",
"tulach",
"state of colorado",
"christopher p. \u2018buzz\u2019 ahmann",
"danica implants",
"nids_malware_alert",
"bonu$",
"network_icmp",
"network_irc",
"persistence_autorun",
"network_http",
"nids_alert",
"allocates_rwx",
"hackers",
"creates_exe",
"brian sabey",
"sour del",
"packer_entropy",
"antivm_memory_available",
"pe_features",
"get key",
"crime",
"organized crime",
"federal crime",
"cyber crime",
"piracy",
"status",
"china unknown",
"name servers",
"div div",
"ip address",
"domain",
"creation date",
"record value",
"meta",
"title",
"hong kong",
"passive dns",
"gmt content",
"type",
"content length",
"ipv4 add",
"urls",
"files",
"location hong",
"twitter",
"youtube",
"side 3 studios",
"denver music",
"infiltration",
"whistleblower",
"getkey",
"cyber warfare",
"fraud",
"financial crimes",
"pegasus",
"music front",
"france unknown",
"present feb",
"iran unknown",
"present nov",
"present jun",
"present jan",
"hidden",
"present jul",
"date",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"llc name",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"found",
"pattern match",
"mitre att",
"show technique",
"ck matrix",
"ascii text",
"href",
"show process",
"file",
"general",
"local",
"path",
"memory dumping",
"entries",
"icmp delphi",
"showing",
"delete",
"yara detections",
"windows nt",
"wow64",
"khtml",
"gecko",
"dns query",
"packing t1045",
"ransom",
"cve",
"palantir",
"remote",
"graham"
],
"references": [
"Amnesty.org | remote.amnesty.org",
"tulach.cc",
"Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP",
"Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http",
"Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available",
"Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi",
"Delphi This program must be run under Win32 Compilers",
"More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de",
"http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}",
"Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey",
"http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co",
"ipv4bot.whatismyipaddress.com",
"helloprismatic.com",
"https://palantir-staging.staging.candidate.app.paulsjob.ai/",
"Brian Sabey",
"Christopher P. \u2018Buzz\u2019 Ahmann"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "Ransom:Win32/GandCrab",
"display_name": "Ransom:Win32/GandCrab",
"target": "/malware/Ransom:Win32/GandCrab"
},
{
"id": "CVE-2023-2868",
"display_name": "CVE-2023-2868",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 429,
"FileHash-SHA1": 341,
"FileHash-SHA256": 2766,
"URL": 6976,
"domain": 1151,
"CVE": 2,
"email": 3,
"hostname": 2913,
"SSLCertFingerprint": 4
},
"indicator_count": 14585,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "91 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "693de4a8a72cf95b028365f0",
"name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee",
"description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets",
"modified": "2026-01-12T21:02:35.560000",
"created": "2025-12-13T22:11:52.474000",
"tags": [
"network",
"ip address",
"subnet",
"dynamicloader",
"port",
"destination",
"high",
"windows",
"united",
"write",
"tofsee",
"stream",
"win64",
"push",
"urls",
"url analysis",
"dnssec",
"script domains",
"encrypt",
"url add",
"http",
"related nids",
"flag united",
"germany",
"address google",
"passive dns",
"ipv4 add",
"files",
"asn as13335",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"location united",
"asn asnone",
"present dec",
"backdoor",
"lowfi",
"win32autoit mar",
"urls show",
"date checked",
"connection",
"httponly",
"secure",
"path",
"expiressat",
"dynamic cfray",
"medium",
"delete c",
"displayname",
"show",
"unknown",
"next",
"rndhex",
"malware",
"cname",
"next associated",
"url hostname",
"server response",
"google safe",
"read c",
"unicode",
"png image",
"rgba",
"memcommit",
"dock",
"execution",
"files location",
"china flag",
"china hostname",
"hostname",
"domain",
"files ip",
"address",
"asn as45102",
"gmt content",
"certificate",
"associated urls",
"location china",
"china asn",
"as4808 china",
"present aug",
"object",
"present apr",
"present oct",
"alman",
"present sep",
"error",
"present jul",
"rmndrp",
"present feb",
"expiration",
"url https",
"url http",
"iocs",
"review iocs",
"expireswed",
"samesitenone",
"maxage86400",
"maxage0",
"server",
"expires",
"victina nulcac",
"data upload",
"extraction",
"enter",
"enter source",
"url data",
"type",
"extract indic",
"included iocs",
"china unknown",
"botnet",
"folk in browser",
"japan unknown",
"asnone country",
"as13335",
"a domains",
"script urls",
"servers",
"title",
"moved",
"record value",
"entries",
"whitelisted",
"powershell",
"xf9xb5xf9",
"xxcexf6x8fr",
"k2xe7xcbxxeaxa2",
"x99x19",
"x88yxf9xc858",
"x83x12x8da",
"zx9bx8ex84",
"attempts",
"yara detections",
"contacted",
"tags none",
"file type",
"pe packer",
"dll compilation",
"guard",
"botnets"
],
"references": [
"https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet",
"x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )",
"foundry.neconsside.com \u2022 http://foundry.neconsside.com",
"http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside",
"IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America",
"Russian Federation",
"T\u00fcrkiye",
"Netherlands"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "HtBot",
"display_name": "HtBot",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1481",
"name": "Web Service",
"display_name": "T1481 - Web Service"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8145,
"domain": 1389,
"FileHash-SHA256": 1545,
"CIDR": 2,
"hostname": 2533,
"FileHash-MD5": 209,
"FileHash-SHA1": 190,
"email": 6,
"SSLCertFingerprint": 4
},
"indicator_count": 14023,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "693b7dc3cf1996347652ef92",
"name": "Google Site Redirector - Tesla Hackers",
"description": "Silencing. By Tesla hackers. Awful example of how any victim of a crime; can become a target of the government..\nThis is especially true when the actual perpetrators work for the government are government affiliated, very wealthy, a celebrity or someone who is deemed important. In this instance the Quasi government sought to keep target seeking and obtaining life saving medical treatment, financial settlement that she was entitled to from assault, injuries from assault, false imprisonment, punitive damgages, pain and suffering, humiliation, premise liability, permanent (whole body disability @MMI ), many other crimes. The victims suffered from a great sadness and betrayal. \n\nObviously racist Elon Musk and crew have access to all government tools. Musk, All things cyber are at his disposal as \ncontinues to abuse privilege.\n They keep playing a God they don\u2019t believe in. God is the Ultimate Avenger.",
"modified": "2026-01-11T00:03:08.581000",
"created": "2025-12-12T02:28:19.107000",
"tags": [
"compromised_site_redirector_fromcharcode",
"site_redirector",
"string",
"regexp",
"error",
"number",
"sxa0",
"amptoken",
"optout",
"retrieving",
"notfound",
"write",
"form",
"flash",
"vd",
"tesla hackers",
"nxdomain",
"passive dns",
"ip address",
"domain",
"a nxdomain",
"urls",
"files",
"ip related",
"pulses otx",
"google",
"unknown",
"oracle",
"dynamicloader",
"medium",
"high",
"windows",
"rndhex",
"write c",
"rndchar",
"displayname",
"tofsee",
"yara rule",
"stream",
"strings",
"push",
"lte all",
"search otx",
"ource url",
"or text",
"paste",
"data upload",
"extraction",
"elon musk",
"indicator role",
"active related",
"ipv4",
"exploitsource",
"url https",
"url http",
"desktopinternet",
"title added",
"pulses ipv4",
"less see",
"ids detections",
"vuze bt",
"udp connection",
"contacted",
"filehash",
"av detections",
"yara detections",
"alerts",
"0x8aa42",
"0xe3107",
"upnp",
"http request",
"bittorrent",
"file",
"module load",
"t1129",
"post http",
"install",
"execution",
"malware",
"hostile",
"crawl",
"windows nt",
"wow64",
"get zona",
"get httpget",
"hash",
"entries",
"read c",
"suspicious",
"next",
"united"
],
"references": [
"Tesla Hackers | https://www.teslarati.com/spacex",
"Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint",
"142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source",
"IDS Detections Win32/ZonaInstaller Install Beacon",
"https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\",
"https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=",
"https://www.google-analytics.com/debug/bootstrap?id=\\",
"https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga",
"https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022",
"https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=",
"This is why our team tells a back story. It can and does happen to anyone.",
"We apologize for so may typos and errors. We strive to do better at that."
],
"public": 1,
"adversary": "Tesla Hackers",
"targeted_countries": [],
"malware_families": [
{
"id": "Vd",
"display_name": "Vd",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Trojan.12382640-1",
"display_name": "Win.Trojan.12382640-1",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 65,
"FileHash-SHA1": 34,
"FileHash-SHA256": 2032,
"URL": 4921,
"domain": 567,
"hostname": 1586,
"SSLCertFingerprint": 4
},
"indicator_count": 9209,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "98 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69212b59117e7e2eb6f3adbf",
"name": "X.com RAT \u2022 Tofsee | Attorney | Hacker | Affects visitors to his site.",
"description": "Christopher Ahmann again. I\u2019m not sure if he is really an attorney or a hacker. He could be a Hacker and a legal consultant. Again incredibly malicious activity. #contacted #tofsee #trojan #rat #apple #telegram #cnc #google #botnets #bots \n\n[OTC populated: The following is the full list of names you can find on the website of an American law firm, which is based in New York and New Jersey, and which can be accessed via a Google search.]",
"modified": "2025-12-22T02:05:33.541000",
"created": "2025-11-22T03:17:45.877000",
"tags": [
"twitter",
"rat",
"christopher p ahmann",
"trojan",
"lowfijavazkm",
"x",
"x.com",
"dynamicloader",
"yara rule",
"ms windows",
"windows",
"medium",
"united",
"ascii text",
"high",
"write",
"guard",
"defender",
"cybergate",
"smartassembly",
"malware",
"win64",
"unknown",
"encrypt",
"yara detections",
"contacted",
"av detections",
"ids detections",
"alerts",
"port",
"destination",
"write c",
"delete c",
"tofsee",
"stream",
"telegram",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"ssl certificate",
"pattern match",
"mitre att",
"path",
"hybrid",
"general",
"click",
"strings",
"legal entities",
"apple",
"liar"
],
"references": [
"x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law",
"IDS Detection : Win32.Cybergate RAT SQLite DL",
"IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity",
"Yara Detections : Nullsoft_NSIS",
"Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location",
"Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content",
"Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process",
"Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages",
"Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
"Alerts: reads_memory_remote_process network_connection_via_suspicious_process",
"IDS Detections : Win32/Tofsee.AX google.com connectivity check",
"IDS Detections : HTTP Request with Lowercase host Header Observed",
"IDS Detections : Observed Telegram Domain (t .me in TLS SNI)",
"Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind",
"Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara",
"Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk",
"Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect",
"Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep",
"appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/",
"https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com",
"https://v2.papadustream.tv/episode/the-walking-dead-1x1",
"https://www.rubreyatson.ddnsgeek.com/",
"https://parabellumnorth.com/product/py2a-g17-69-rail-set/",
"remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com",
"https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe",
"accounts.google.com"
],
"public": 1,
"adversary": "Christopher Paul Ahmann",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "#LowfiJavaZKM",
"display_name": "#LowfiJavaZKM",
"target": null
},
{
"id": "Win.Dropper.Tofsee-10012410-0",
"display_name": "Win.Dropper.Tofsee-10012410-0",
"target": null
},
{
"id": "Win.Dropper.Tofsee-10012410-0",
"display_name": "Win.Dropper.Tofsee-10012410-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 360,
"URL": 1750,
"FileHash-MD5": 120,
"FileHash-SHA1": 80,
"FileHash-SHA256": 1269,
"SSLCertFingerprint": 9,
"hostname": 644
},
"indicator_count": 4232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "118 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69138a8144a8bf8040a92711",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large",
"description": "",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-11T19:12:01.843000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": "6910cafb096eae0dcb39a800",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6910cafb096eae0dcb39a800",
"name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears",
"modified": "2025-12-09T17:03:48.645000",
"created": "2025-11-09T17:10:19.498000",
"tags": [
"url http",
"apple",
"california",
"apple public",
"server rsa",
"organization",
"stateprovince",
"ocsp",
"nids united",
"files",
"united",
"unknown ns",
"ip address",
"domain",
"urls files",
"passive dns",
"found title",
"sf hello",
"myriad set",
"pro myriad",
"set lucida",
"grande arial",
"sf mono",
"ipv4",
"location united",
"america flag",
"america asn",
"verdict",
"files ip",
"address",
"as42 woodynet",
"domain add",
"ipv4 add",
"reverse dns",
"trojan",
"name servers",
"emails",
"for privacy",
"ltd dba",
"com laude",
"servers",
"expiration date",
"urls",
"meta",
"a domains",
"country code",
"store home",
"title",
"accept",
"espaol",
"english",
"evil corp",
"see all",
"cyber hack",
"republic",
"canada",
"season",
"joe tidy",
"sarah rainsford",
"podcast",
"bank",
"ukraine",
"dead",
"indonesia",
"police",
"premium",
"napoleon",
"revolution",
"michelangelo",
"mozart",
"global",
"solid",
"lazarus",
"jabber zeus",
"harrods",
"ta markmonitor",
"markmonitor",
"search",
"present aug",
"unknown aaaa",
"unknown soa",
"win32",
"invalid url",
"trojanspy",
"mtb apr",
"backdoor",
"next associated",
"win64",
"trojandropper",
"twitter",
"virtool",
"ransom",
"worm",
"dynamicloader",
"tlsv1",
"high",
"globalc",
"medium",
"windows",
"cmd c",
"delete c",
"stream",
"write",
"next",
"process32nextw",
"http host",
"dns query",
"likely gandcrab",
"et trojan",
"windows nt",
"wow64",
"malware",
"ms windows",
"as16509",
"as54113",
"yara rule",
"pe32 executable",
"as15169",
"powershell",
"unknown",
"response ip",
"address google",
"safe browsing",
"hostname add",
"port",
"destination",
"pe32",
"intel",
"error",
"show",
"delphi",
"dcom",
"form",
"canvas",
"united kingdom",
"content type",
"security",
"moved",
"great britain",
"unknown a",
"body doctype",
"html public",
"ietfdtd html",
"showing",
"packing t1045",
"bytes",
"read",
"default",
"christoper p ahmann",
"target",
"victims",
"tsara brashears",
"url https",
"type indicator",
"role title",
"added active",
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"present nov",
"present oct",
"date",
"tcpmemhit",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"mitre att",
"pattern match",
"show technique",
"ck matrix",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"palantir",
"foundry",
"hitmen",
"quasi",
"government contracts",
"jeffrey reimer",
"hallrender",
"workers compensation",
"record value",
"certificate"
],
"references": [
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"bpc-old.palantirfoundry.com",
"OTX auto populated targeted groups.",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"They blatantly steal from citizens , blame foreign entities.",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents."
],
"public": 1,
"adversary": "Lazarus",
"targeted_countries": [
"Bangladesh",
"Japan",
"United States of America"
],
"malware_families": [
{
"id": "ALF:SpikeAexR.PEVPSZL",
"display_name": "ALF:SpikeAexR.PEVPSZL",
"target": null
},
{
"id": "Ransom:MSIL/GandCrab",
"display_name": "Ransom:MSIL/GandCrab",
"target": "/malware/Ransom:MSIL/GandCrab"
},
{
"id": "Zeus",
"display_name": "Zeus",
"target": null
},
{
"id": "Ransom:Win32/Gandcrab.H!MTB",
"display_name": "Ransom:Win32/Gandcrab.H!MTB",
"target": "/malware/Ransom:Win32/Gandcrab.H!MTB"
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [
"Banks",
"Crypto",
"Entertainment",
"Bank"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4572,
"FileHash-MD5": 196,
"domain": 1523,
"hostname": 1393,
"FileHash-SHA256": 2400,
"FileHash-SHA1": 175,
"email": 18,
"SSLCertFingerprint": 8
},
"indicator_count": 10285,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "130 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ee5ea4d51d4a1cabdb4ee9",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:31:00.172000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ee5e9f8cfc5fbc73142660",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:30:55.471000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68edc1c2be848e73a32ab9ba",
"name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk",
"description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related",
"modified": "2025-11-13T02:02:12.454000",
"created": "2025-10-14T03:21:38.305000",
"tags": [
"pulses ipv4",
"ipv4",
"div div",
"united",
"script script",
"a li",
"present jul",
"param",
"entries",
"present aug",
"certificate",
"global domains",
"date",
"title",
"class",
"meta",
"agent",
"stack",
"life",
"a domains",
"passive dns",
"urls",
"ok server",
"gmt content",
"type",
"hostname add",
"pulse pulses",
"files",
"win32mydoom oct",
"trojan",
"next associated",
"pulse",
"reverse dns",
"twitter",
"body",
"dynamicloader",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"unknown",
"copy",
"write",
"malware",
"push",
"next",
"autorun",
"suspicious",
"ip address",
"unknown ns",
"unknown aaaa",
"ipv4 add",
"location united",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ck id",
"show technique",
"mitre att",
"path",
"error",
"fatalerror",
"general",
"hybrid",
"local",
"click",
"strings",
"filehashsha256",
"filehashmd5",
"filehashsha1",
"iist",
"malware family",
"mydoom att",
"ck ids",
"t1060",
"run keys",
"indicator role",
"title added",
"active related",
"showing",
"url https",
"url http",
"startup",
"folder",
"web protocols",
"t1105",
"tool transfer",
"indicators hong",
"kong",
"china",
"germany",
"australia",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"wire",
"t1071"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2724,
"hostname": 1212,
"domain": 410,
"FileHash-MD5": 408,
"email": 9,
"FileHash-SHA256": 604,
"FileHash-SHA1": 307
},
"indicator_count": 5674,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d877d6231fc1cbe1792ee1",
"name": "PolyRansom attack through malicious actor on threat platforms",
"description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom",
"modified": "2025-10-27T22:02:25.163000",
"created": "2025-09-27T23:48:38.895000",
"tags": [
"iocs",
"indicator role",
"write c",
"intel",
"ms windows",
"medium",
"pe32",
"delete",
"ids detections",
"yara detections",
"write",
"malware",
"delete c",
"windows",
"high",
"port",
"encrypt",
"tofsee",
"stream",
"passive dns",
"http",
"ip address",
"related nids",
"files location",
"united states",
"united",
"win32",
"trojan",
"mtb may",
"twitter",
"hellspawn",
"worm",
"title",
"emails",
"servers",
"get http",
"dns resolutions",
"http traffic",
"command",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"present sep",
"aaaa",
"resolved ips",
"ip traffic",
"displayname",
"yara rule",
"loaderid",
"name servers",
"urls",
"domain robot",
"mail",
"moved",
"media gmbh",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"host",
"generic http",
"exe upload",
"inbound",
"outbound",
"markus",
"certificate",
"record value",
"object",
"path",
"server",
"registrar abuse",
"contact email",
"contact phone",
"registrar iana",
"registrar url",
"diablo",
"gandi sas",
"gandi",
"diablo attacks",
"bluemind",
"alberta",
"domain add",
"asn as16625",
"akamai",
"less whois",
"registrar",
"metrobytmobile",
"t mobile",
"metro",
"present jul",
"present jun",
"present aug",
"germany unknown",
"germany",
"invalid url",
"ipv4 add",
"frankfurt",
"main",
"no entries",
"entrust",
"hostname add",
"files loading",
"mimic",
"first address",
"medium attempts",
"process",
"explorer",
"windows startup",
"kuwiqsma",
"match medium",
"medium installs",
"installs",
"t regdword",
"user",
"ntcreatefile",
"filehandle",
"createfilew",
"getfilesize",
"blpdqe",
"jjqcpluanwwhg",
"u0012",
"desiredaccess",
"keyhandle",
"ntopenkeyex",
"u001aw",
"u0018",
"read",
"next",
"tags none",
"file type",
"date september",
"am size",
"imphash pehash",
"richhash",
"south korea",
"taiwan as3462",
"as21928",
"china as4134",
"as4766 korea",
"china as4837",
"as9318 sk",
"as701 verizon",
"verizon",
"tcp syn",
"infectednight",
"resolverror",
"tref neutral",
"ck technique",
"technique id",
"tofsee high",
"overview whois",
"pulses",
"tags",
"related tags",
"more external",
"resources whois",
"urlvoid",
"tavao.exe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"spawns",
"access att",
"ascii text",
"pattern match",
"mitre att",
"size",
"meta",
"null",
"error",
"click",
"roboto",
"hybrid",
"general",
"local",
"starfield",
"strings",
"refresh",
"tools",
"onload",
"span",
"iframe",
"found",
"t1480 execution",
"backdoor",
"a domains",
"russia",
"next associated",
"link",
"windir",
"interesting",
"show technique",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"lowfi",
"gameforprofits",
"game att",
"night got",
"job done infected"
],
"references": [
"DiabloFans ClapBack: Google. Com",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"MetrobyT-mobile",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Trojan:Win32/Vflooder",
"display_name": "Trojan:Win32/Vflooder",
"target": "/malware/Trojan:Win32/Vflooder"
},
{
"id": "Virus.Virlock/Nabucur",
"display_name": "Virus.Virlock/Nabucur",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 450,
"FileHash-SHA1": 435,
"FileHash-SHA256": 2092,
"URL": 646,
"domain": 593,
"SSLCertFingerprint": 9,
"hostname": 657,
"email": 13
},
"indicator_count": 4895,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "173 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d877e28416d81633bae1ad",
"name": "PolyRansom attack through malicious actor on threat platforms",
"description": "Virlock , PolyRansom and multiple other attacks through malicious actor using social engineering tactics. Has a rigged platform. Goal -\n to gain complete command and control of users in great platforms. Has infected at least a single device.\n#domainrobot #socialengineeeing #Tofsee\n#Trojan:Win32/Vflooder\n#Unix.Dropper.Mirai-7135870-0\n#Virus.Virlock/Nabucur\n#Win.Packer.pkr_ce1a-9980177-0\n#Win.Virus.PolyRansom",
"modified": "2025-10-27T22:02:25.163000",
"created": "2025-09-27T23:48:50.976000",
"tags": [
"iocs",
"indicator role",
"write c",
"intel",
"ms windows",
"medium",
"pe32",
"delete",
"ids detections",
"yara detections",
"write",
"malware",
"delete c",
"windows",
"high",
"port",
"encrypt",
"tofsee",
"stream",
"passive dns",
"http",
"ip address",
"related nids",
"files location",
"united states",
"united",
"win32",
"trojan",
"mtb may",
"twitter",
"hellspawn",
"worm",
"title",
"emails",
"servers",
"get http",
"dns resolutions",
"http traffic",
"command",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"request",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"present sep",
"aaaa",
"resolved ips",
"ip traffic",
"displayname",
"yara rule",
"loaderid",
"name servers",
"urls",
"domain robot",
"mail",
"moved",
"media gmbh",
"info file",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"host",
"generic http",
"exe upload",
"inbound",
"outbound",
"markus",
"certificate",
"record value",
"object",
"path",
"server",
"registrar abuse",
"contact email",
"contact phone",
"registrar iana",
"registrar url",
"diablo",
"gandi sas",
"gandi",
"diablo attacks",
"bluemind",
"alberta",
"domain add",
"asn as16625",
"akamai",
"less whois",
"registrar",
"metrobytmobile",
"t mobile",
"metro",
"present jul",
"present jun",
"present aug",
"germany unknown",
"germany",
"invalid url",
"ipv4 add",
"frankfurt",
"main",
"no entries",
"entrust",
"hostname add",
"files loading",
"mimic",
"first address",
"medium attempts",
"process",
"explorer",
"windows startup",
"kuwiqsma",
"match medium",
"medium installs",
"installs",
"t regdword",
"user",
"ntcreatefile",
"filehandle",
"createfilew",
"getfilesize",
"blpdqe",
"jjqcpluanwwhg",
"u0012",
"desiredaccess",
"keyhandle",
"ntopenkeyex",
"u001aw",
"u0018",
"read",
"next",
"tags none",
"file type",
"date september",
"am size",
"imphash pehash",
"richhash",
"south korea",
"taiwan as3462",
"as21928",
"china as4134",
"as4766 korea",
"china as4837",
"as9318 sk",
"as701 verizon",
"verizon",
"tcp syn",
"infectednight",
"resolverror",
"tref neutral",
"ck technique",
"technique id",
"tofsee high",
"overview whois",
"pulses",
"tags",
"related tags",
"more external",
"resources whois",
"urlvoid",
"tavao.exe",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"spawns",
"access att",
"ascii text",
"pattern match",
"mitre att",
"size",
"meta",
"null",
"error",
"click",
"roboto",
"hybrid",
"general",
"local",
"starfield",
"strings",
"refresh",
"tools",
"onload",
"span",
"iframe",
"found",
"t1480 execution",
"backdoor",
"a domains",
"russia",
"next associated",
"link",
"windir",
"interesting",
"show technique",
"ck matrix",
"network traffic",
"t1071",
"t1057",
"lowfi",
"gameforprofits",
"game att",
"night got",
"job done infected"
],
"references": [
"DiabloFans ClapBack: Google. Com",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"MetrobyT-mobile",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Trojan:Win32/Vflooder",
"display_name": "Trojan:Win32/Vflooder",
"target": "/malware/Trojan:Win32/Vflooder"
},
{
"id": "Virus.Virlock/Nabucur",
"display_name": "Virus.Virlock/Nabucur",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "Unix.Dropper.Mirai-7135870-0",
"display_name": "Unix.Dropper.Mirai-7135870-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 450,
"FileHash-SHA1": 435,
"FileHash-SHA256": 2092,
"URL": 646,
"domain": 593,
"SSLCertFingerprint": 9,
"hostname": 657,
"email": 13
},
"indicator_count": 4895,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "173 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi",
"https://www.google \u2022 https://ampcid.google.com/v1/publisher \u2022\u2019https://ampcid.google.com/v1/publisher:getClientId\\",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"https://eurotarget.com/it/auto/toyota/c-hr/",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"https://t.me/",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC",
"mac.store",
"Alerts : persistence_autorun persistence_autorun_tasks network_smtp procmem_yara",
"admin@bigtits.com",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.",
"I apologize for the lack of reference.",
"euw-serp-dev-testing19.duck.ai",
"http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co",
"x.com | https://x.com/search?q=Ahmann-Christopher-PC-Attorney-at-Law",
"https://icloud.ch/cn/ipod-touch/",
"This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents.",
"Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey",
"appleid.cdn-apple.com \u2022 apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"https://v2.papadustream.tv/episode/the-walking-dead-1x1",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"https://l.us-1.a.mimecastprotect.com/l",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"Attacks are being carried out by The State of Colorado",
"Amnesty.org | remote.amnesty.org",
"Alerts: antisandbox_sleep creates_largekey process_creation_suspicious_location",
"Alerts : static_pe_anomaly suricata_alert antivm_bochs_keys antivm_generic_disk",
"ipv4bot.whatismyipaddress.com",
"Unix.Dropper.Mirai inc. 1 Telstra Corporation Ltd 1.125.165.62 \u2022 Australia AS1221 Telstra",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Christopher P. \u2018Buzz\u2019 Ahmann",
"http://audaxgroup.appleid.com/",
"ids-apple.com \u2022 itunes.org",
"Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP",
"MetrobyT-mobile",
"bpc-old.palantirfoundry.com",
"Crowdsourced IDS: ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check Rule Match",
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Delphi This program must be run under Win32 Compilers",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"This is why our team tells a back story. It can and does happen to anyone.",
"https://aspmx.l.google.com/",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"http://api.jmtstudios.org/",
"http://console.applemarketingtools.com/",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside",
"IDS Detections Win32/ZonaInstaller Install Beacon",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"IDS Detections : Win32/Tofsee.AX google.com connectivity check",
"account-apple.com",
"accounts.google.com",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"https://parabellumnorth.com/product/py2a-g17-69-rail-set/",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Tesla Hackers | https://www.teslarati.com/spacex",
"https://hyperbot.net/ \u2022http://rarebot.com/rarebot-installer.exe",
"firebase-auth-eich0v.pages.dev",
"IDS Detections : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections : Observed Telegram Domain (t .me in TLS SNI)",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"Yara Detections : Nullsoft_NSIS",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"Same legal , and quasi governmental pattern identified",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"Yara Detections :compromised_site_redirector_fromcharcode Alerts network_icmp js_eval recon_fingerprint",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"Unix.Dropper.Mirai inc. 100.181.126.203 \u2022 United States\tAS21928 t-mobile usa inc.",
"Musiclab, LLC",
"OTX auto populated targeted groups.",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"We apologize for so may typos and errors. We strive to do better at that.",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"https://stats.g.doubleclick.net/j/collect\\ \u2022 https://tagassistant.google.com/ \u2022 https://www.google.com/ads/ga",
"Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available",
"apple.com(-inc.cc)",
"Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Alerts : persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep",
"Contacted: newmethcnc.duckdns.org",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"Requires further research.",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"Unix.Dropper.Mirai inc. 1 Korea Telecom 1.107.218.24 \u2022 South Korea\tAS4766",
"https://www.google-analytics.com/debug/bootstrap?id=\\",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"http://apple.support.com/ht***** redirect",
"http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}",
"https://tagassistant.google.com/ \u2022 https://www.google-analytics.com/debug/bootstrap?id=",
"Crowdsourced IDS: Unique rule identifier: This rule belongs to a private collection",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://apple.k8s.joewa.com/ \u2022 http://www.gtaging.apple.pol.kozow.com",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly",
"https://freedns.afraid.org/images/exclamation",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"smtp2.icl-privaterelay.appleid.com",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"Redirect: schemas.microsoft.com",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"https://khmerpornvideo.signup0.y.id/",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"bricked.wtf",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
"metropcs.com/account/sign-in.html",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"https://www.jmtstudios.org/farewell/",
"IDS Detection : Win32.Cybergate RAT SQLite DL",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"DiabloFans ClapBack: Google. Com",
"https://palantir-staging.staging.candidate.app.paulsjob.ai/",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support",
"BearShare Install File Version 12.0.0.135802",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"They blatantly steal from citizens , blame foreign entities.",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"oas-japac-domains-applecomputer.cn",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"https://clear.ml/infrastructure-control-plane",
"africa.konnect.com",
"x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )",
"142.250.74.142.250.74.138 _exploit_source | 142.250.74.138 _exploit_source | 142.250.74.142_exploit_source",
"Alerts: suricata_alert antiav_detectfile antivm_bochs_keys cape_extracted_content",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"CS\u2019d IDS: ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) Rule Match",
"Alerts: reads_memory_remote_process network_connection_via_suspicious_process",
"Yara Detections: Tofsee",
"http://cab.applemarketingtools.com",
"Alerts : antivm_generic_services deletes_executed_files injection_runpe dead_connect",
"xn--cloud-4sa.com",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Appears to be closely associated with close relative and initial victim of attack.",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet",
"It appears there are 5-7 known affected that I was able to find",
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"https://www.googletagmanager.com/gtag/js?id=\\ \u2022 https://www.google-analytics.com/gtm/js?id=",
"Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"Alerts: behavior_tofsee suspicious_iocontrol_codes creates_largekey network_bind",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked.",
"div>
",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://www.google-analytics.com/gtm/js?id=\\ \u2022 https://www.googletagmanager.com/gtag/js?id= \u2022",
"howtoworkacrickoutofyourneck2.pages.dev",
"monitor.kyos.ninja",
"iphonegermany.com",
"You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists",
"Crowdsourced IDS: Matches rule SURICATA HTTP missing Host header",
"Unix.Dropper.Mirai inc. 1 Verizon : 100.10.95.119 United States \u2022 AS701 Verizon",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de",
"robert-aebi.appleid.com",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"monitoring.eurovision.net",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Brian Sabey",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections : HTTP Request with Lowercase host Header Observed",
"IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"Alerts: infostealer_keylog injection_runpe suspicious_command_tools antidebug_guardpages mouse_movement_detect dynamic_function_loading resumethread_remote_process reads_memory_remote_process network_connection_via_suspicious_process",
"foundry.neconsside.com \u2022 http://foundry.neconsside.com",
"https://www.rubreyatson.ddnsgeek.com/",
"Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Instagram.com",
"IDS Detections : HTTP GET Request for sqlite3.dll - Possible Infostealer Activity",
"tulach.cc",
"remotewd.com \u2022 device-194a3e38-d1e7-421a-8a01-d136fef966f1.remotewd.com",
"UA Alberta | Somehow I don\u2019t think this is part of a match but rather an attack. Mimic",
"http://www.icloud-sms-alert.com/",
"helloprismatic.com",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"https://apps.apple.com/app/",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"https://icloud.ch/",
"IDS Detections: tofsee"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"Tesla Hackers",
"Christopher Paul Ahmann",
"Lazarus"
],
"malware_families": [
"Virtool:win32/vbinject.gen!mh",
"Alf:exploit:o97m/cve-2017-8977",
"Win32:botx-gen\\ [trj]",
"#lowfi:hstr:criakl.b1",
"Worm:win32/bloored",
"Ddos:linux/gafgyt.ya!mtb",
"Zeus",
"Autoit",
"Vd",
"Unix.trojan.tsunami-6981155-0",
"Win.trojan.barys-10005825-0",
"Emotet",
"Cycbot",
"Win.trojan.installcore-877",
"Win.virus.polyransom-5704625-0",
"Win.packer.pkr_ce1a-9980177-0",
"Backdoor:win32/tofsee",
"Win.trojan.tofsee-7102058-0",
"Cve-2023-22518",
"Icedid",
"Win.malware.reline-9887776-0",
"Mydoom",
"Trojandownloader:win32/cutwailransom:win32/crowti.a",
"Win.trojan.gravityrat-6511862-0",
"Win.downloader.small-4507",
"#lowfi:lua:dllsuspiciousexport.a",
"Worm",
"\u2019m",
"Worm:win32/mydoom",
"Alf:spikeaexr.pevpszl",
"Unix.dropper.mirai-7135870-0",
"Backdoor:win32/arwobot.b",
"Ransom:win32/gandcrab",
"Unix.trojan.gafgyt-6981154-0",
"Tofsee",
"Trojan:win32/icedid.di!mtb",
"Win.malware.mikey-9949492-0",
"Win.trojan.tepfer-61",
"Ransom:msil/gandcrab",
"Ransom:win32/crowti.a",
"Win.malware.convagent-9981433-0",
"Worm:win32/autorun",
"Cve-2023-2868",
"Win.trojan.12382640-1",
"Virus.virlock/nabucur",
"Trojandownloader:win32/cutwail",
"Alf:heraklezeval:trojan:msil/gravityrat!rfn",
"Alf:jasyp:pua:win32/4shared",
"Trojan:win32/vflooder",
"Trojandropper:win32/systex.a",
"#lowfijavazkm",
"Mirai",
"Win.dropper.tofsee-10012410-0",
"Win32/searchsuite",
"Nids",
"Ransom:win32/gandcrab.h!mtb",
"Trojan:win32/qbot.r!mtb",
"Win.packed.bandook-9882274-1",
"Mirai (elf)",
"Backdoor:linux/mirai.n!mtb",
"Win.downloader.small",
"Worm:win32/benjamin",
"Backdoor:linux/demonbot.aa!mtb",
"Backdoor:win32/tofsee.t",
"Win.malware.jaik-9968280-0",
"Alf:nid:susp_nsis_stub.a",
"Tibs",
"Win32.application.bearshare.a",
"Cve-2017-11882",
"Htbot",
"Other malware",
"Upadter",
"Trojan:win32/emotet.yl",
"Trojan:win32/smkldr.h!mtb",
"Win.malware.elenooka-6996044-0",
"Exploit:win32/cve-2017-0147"
],
"industries": [
"Construction",
"Legal",
"Technology",
"Telecom",
"Crypto",
"Bank",
"Banks",
"Healthcare",
"Entertainment",
"Insurance",
"Government"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 24,
"pulses": [
{
"id": "69ded8198b25581a09b90824",
"name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration",
"description": "",
"modified": "2026-04-15T00:13:13.981000",
"created": "2026-04-15T00:13:13.981000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "4 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db05f833d3d6d2231fb201",
"name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti",
"description": "",
"modified": "2026-04-12T02:39:52.993000",
"created": "2026-04-12T02:39:52.993000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69dab27a0493e0e80a0f35cd",
"name": "SearchSuite \u2022 Healthcare Administration",
"description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.",
"modified": "2026-04-11T20:43:38.695000",
"created": "2026-04-11T20:43:38.695000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "7 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ca31b28c2fa3e734bf5000",
"name": "instagram staged credit clone a vashti :(",
"description": "",
"modified": "2026-03-31T12:16:21.521000",
"created": "2026-03-30T08:17:54.205000",
"tags": [
"dynamicloader",
"port",
"destination",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"write",
"stream",
"malware",
"systemroot",
"write c",
"displayname",
"windows",
"trojan",
"defender",
"unknown",
"less see",
"all ip",
"contacted",
"less related",
"meta",
"emotet",
"backdoor",
"packer",
"many",
"hall render",
"brian sabey",
"christopher p. ahmann",
"state of colorado",
"google",
"yahoo",
"microsoft",
"stealth window",
"reads_self",
"injection write process",
"remote",
"remote process",
"dynamic function loading",
"compromises device",
"dead connect",
"dynamic loader",
"command",
"cnc",
"sleep sandbox",
"iocontrol",
"behavior tofsee",
"suspicious code",
"injection",
"persistence",
"rootkit",
"social media",
"belgium belgium",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"network traffic",
"t1071",
"spawns",
"html content",
"href",
"general",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"defense evasion",
"development att",
"tracking"
],
"references": [
"Instagram.com",
"IDS Detections: tofsee",
"Alerts antivm_generic_services persistence_ads anomalous_deletefile Idead_connect",
"Alerts: suspicious_tld queries_computer_name dynamic_function_loading",
"Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
"IP\u2019s Contacted: 94.100.180.31 142.251.9.27 98.136.96.91 43.231.4.7 52.101.8.42",
"Domains Contacted microsoft.com microsoft-com.mail.protection.outlook.com yahoo.com mta7.am0.yahoodns.net google.com",
"Brian Sabey , Christopher P. Ahmann , State of Colorado who",
"http://tracking-sa3.account.riyadhair.com/tracking/1/open/UGnB4w8RQiQ_9PYty4S-rwBmOetPQw3ubFHSNKg_IdhZfkaCbjqN3pnR4Xwk6pQcRBqF2aoq0uEaKMM4CX1kTpZsAD10-fxAPEgqGzJ2o7BJmsh_G2B6P-m_Xqc_LOycbcGBss0kXIEJvMGRw2SMITzqmVnh1yI_FuZV37qgGHZG3lP1V-WMaNTc8FYNIcgSRyTFamC5k3I1LkpsmTgX5Dd20Ko3IxUqFRC74clpVo-uFwRAb1Q1gSfKrDBX6_LaXkgv9gfyPy7L2BKxAmFBe-Ump3D_wGRDTXekPO5VZJ46hn0pUrOy2g8606kgb703eJVnmrz0cgCd-8P1dOdfoOFrSqOuXzfDNCaUU-2xl1aHVjGCZGIWX6B4bYqznMqsvI8UxoitF5tZTZ3opRhymDkrsItHdJPUnzkc6N_Z370RVT54BihKCohH14lIRQVQN9v74E",
"Looks like a Pegasus tracking sphere. All contacts and contacts, contacts tracked."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Emotet.YL",
"display_name": "Trojan:Win32/Emotet.YL",
"target": "/malware/Trojan:Win32/Emotet.YL"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6949b6d8180bca3df9783578",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 911,
"domain": 178,
"hostname": 206,
"FileHash-SHA256": 647,
"FileHash-MD5": 38,
"FileHash-SHA1": 28
},
"indicator_count": 2008,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699c6ef61298b57cd7275728",
"name": "Apple Support IOC\u2019s IcedID | Bloored | Mydoom worm | iOS IOC\u2019s",
"description": "A list of Apple and Apple related iOS\u2019s linked to a malicious redirect found in an apple.support.com redirect. Two separate Apple ID\u2019s on one iPhone. | Mimecast compromised with Emotet. iCloud siphoning. Related to Pulse found in references. | IOC\u2019s came from a single url.",
"modified": "2026-03-25T07:05:10.628000",
"created": "2026-02-23T15:15:02.857000",
"tags": [
"ipv4",
"http",
"passive dns",
"files domain",
"united",
"unknown ns",
"for privacy",
"ip address",
"domain",
"dynamicloader",
"antivirus",
"yara rule",
"fe ff",
"write c",
"msvisualcpp60",
"rsds",
"e8 c8",
"e8 a8",
"ff e1",
"unknown",
"worm",
"launch",
"write",
"explorer",
"february",
"push",
"service",
"files",
"reverse dns",
"america flag",
"america asn",
"url add",
"otx logo",
"all ipv4",
"searc",
"date checked",
"server response",
"results dec",
"unknown soa",
"present aug",
"present oct",
"present sep",
"present nov",
"moved",
"error",
"title",
"win32mydoom feb",
"aaaa",
"name servers",
"trojan",
"servers",
"virtool",
"united states",
"apple",
"crlf line",
"unicode text",
"utf8",
"ff d5",
"ascii text",
"ee fc",
"suspicious",
"music",
"malware",
"role title",
"ttl value",
".cc",
"d4 f5",
"msvisualcpp2002",
"msvisualcpp2005",
"apple support",
".ch",
"privaterelay",
"pattern match",
"ck id",
"mitre att",
"ck matrix",
"href",
"et info",
"general",
"local",
"path",
"click",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"present jun",
"backdoor",
"present may",
"status",
"ransom",
"high",
"medium",
"windows",
"tofsee",
"loaderid",
"lidfileupd",
"localcfg",
"rndhex",
"stream",
"delete",
"emotet",
"bot network",
"mitm",
"screenshot",
"mimecast"
],
"references": [
"http://apple.support.com/ht***** redirect",
"https://otx.alienvault.com/pulse/699b907c5375efb7ce1639b8",
"mac.store",
"https://icloud.ch/cn/ipod-touch/",
"https://icloud.ch/",
"https://multicash.smbcgroup.com/gb/App/Authentication/Challenge",
"https://uatapp.pacificcross.com.ph/Oqapv2uatRedirect/",
"Redirect: schemas.microsoft.com",
"apple.com(-inc.cc)",
"oas-japac-domains-applecomputer.cn",
"robert-aebi.appleid.com",
"smtp2.icl-privaterelay.appleid.com",
"http://audaxgroup.appleid.com/",
"https://otx.alienvault.com/indicator/url/http://ipodtouch.co/?cid=oas-japac-domains-applecomputer.com.cn/ing/product+validatie.php",
"iphonegermany.com",
"api.mr-2538.dev-phoenix.diagnostics.si.siemens.cloud",
"https://aspmx.l.google.com/",
"api.us-1.a.mimecastprotect.com l.uk-1.a.mimecastprotect.com",
"de-smtp-inbound-1.mimecast.com de-smtp-inbound-2.mimecast.com",
"http://www.icloud-sms-alert.com/",
"monitoring.eurovision.net",
"https://www.irby.com/iub-en/services/testing-and-monitoring",
"monitor.kyos.ninja"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/IcedId.DI!MTB",
"display_name": "Trojan:Win32/IcedId.DI!MTB",
"target": "/malware/Trojan:Win32/IcedId.DI!MTB"
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Worm:Win32/Bloored",
"display_name": "Worm:Win32/Bloored",
"target": "/malware/Worm:Win32/Bloored"
},
{
"id": "Win.Malware.Elenooka-6996044-0",
"display_name": "Win.Malware.Elenooka-6996044-0",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6031,
"hostname": 1971,
"domain": 1125,
"FileHash-SHA256": 1715,
"email": 18,
"FileHash-MD5": 317,
"FileHash-SHA1": 164
},
"indicator_count": 11341,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6967bc8b26b69d4dc2604a13",
"name": "Telegram@V2ray_Alpha/ | Mirai | ExhoBot CNC | EtT",
"description": "Inbound Outbound connections. Tel et error. Hacking activity affecting various forms of connectivity via telecom. Possibly a controls\n computer vehicle connects to. Related? I was researching increased malicious activity aimed against a target. An associate close to target reported (mid research) Vehicle reported \u2018no longer being able to communicate. Module 5 has an error. Please contact customer service). Targets car was powered oof. No Bluetooth connection. No reports. Audio off. No phone message, connection or dial. This is targets experience not mowing what I was researching.",
"modified": "2026-02-13T15:04:30.631000",
"created": "2026-01-14T15:55:55.693000",
"tags": [
"v2rayalpha",
"united",
"unknown ns",
"unknown aaaa",
"domain add",
"urls",
"files",
"domain",
"github",
"file format",
"jkvpn",
"jointelegram",
"farahvpn vless",
"post",
"universal",
"scribd",
"typews",
"telegram",
"rdap",
"handle",
"iana registrar",
"roles",
"dnssec",
"aaaa",
"ttl value",
"rdap database",
"links",
"backdoor",
"antigua",
"virgin islands",
"status",
"org domains",
"proxy",
"ip address",
"barbuda unknown",
"passive dns",
"ipv4 add",
"twitter",
"dynamicloader",
"port",
"delete c",
"destination",
"high",
"windows",
"medium",
"displayname",
"write",
"tofsee",
"stream",
"malware",
"push",
"next",
"url add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"evasion att",
"sha256",
"sha1",
"pattern match",
"ascii text",
"href",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"search",
"moved",
"record value",
"servers",
"title",
"encrypt",
"canada unknown",
"gmt content",
"reverse dns",
"location canada",
"canada asn",
"accept",
"cookie",
"dll read",
"function read",
"wscriptshell",
"shortcut",
"guard",
"error",
"present jan",
"name servers",
"registrar url",
"hong kong",
"invalid url",
"url analysis",
"location hong",
"kong flag",
"msie",
"chrome",
"type",
"media type",
"certificate",
"hostname add",
"present nov",
"present sep",
"present oct",
"expiration date",
"present dec",
"script urls",
"a domains",
"present mar",
"present feb",
"meta",
"show",
"read c",
"entries",
"read",
"intel",
"ms windows",
"delete",
"please",
"artemis",
"virustotal",
"trojan",
"mcafee",
"drweb",
"vipre",
"panda",
"write c",
"total",
"next associated",
"thursday",
"gmt cache",
"ipv4",
"form",
"date",
"mirai",
"telnet login",
"south korea",
"bad login",
"as4766 korea",
"taiwan as3462",
"china as45090",
"telnet root",
"cve201717215",
"execution",
"copy",
"contacted",
"mtb ids",
"dns query",
"variant cnc",
"domain huawei",
"remote command",
"huawei remote",
"echobot",
"linux mirai",
"monitoring",
"cnc"
],
"references": [
"https://pamchall.com/Telegram@V2ray_Alpha/",
"Domain: t.me \u2022 Email: 1047f946-a6da-45dd-fa53-e00edb48e367@www.speedtest.net",
"https://t.me/",
"Win32/Tofsee.AX google.com connectivity check",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Cabinet_Archive , SFX_CAB",
"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",
"Antivirus Detections: ELF:Mirai-AAL\\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB",
"IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215)",
"Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"Huawei HG532 RCE Vulnerability (CVE-2017-17215)",
"DYNAMIC_DNS Query to *.duckdns. Domain",
"SUSPICIOUS Path to BusyBox HiSilicon DVR - Default",
"Telnet Root Password Inbound TELNET login failed root login Bad Login Less",
"Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT",
"dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout",
"IP\u2019s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202",
"IP\u2019s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227",
"Contacted: newmethcnc.duckdns.org",
"https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e",
"https://eurotarget.com/it/auto/toyota/c-hr/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win.Malware.Reline-9887776-0",
"display_name": "Win.Malware.Reline-9887776-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai.N!MTB",
"display_name": "Backdoor:Linux/Mirai.N!MTB",
"target": "/malware/Backdoor:Linux/Mirai.N!MTB"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1399",
"name": "Modify Trusted Execution Environment",
"display_name": "T1399 - Modify Trusted Execution Environment"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1011.001",
"name": "Exfiltration Over Bluetooth",
"display_name": "T1011.001 - Exfiltration Over Bluetooth"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0029",
"name": "Privilege Escalation",
"display_name": "TA0029 - Privilege Escalation"
}
],
"industries": [
"Telecom"
],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6227,
"domain": 1437,
"hostname": 2331,
"email": 8,
"FileHash-SHA256": 3252,
"FileHash-MD5": 465,
"FileHash-SHA1": 457,
"CIDR": 1,
"CVE": 3
},
"indicator_count": 14181,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "65 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6963596c4cd594b77b4675ec",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
"description": "",
"modified": "2026-02-10T06:05:39.764000",
"created": "2026-01-11T08:03:56.534000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": "693cdc5b8ebc10664439c2fb",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "693cdc5b8ebc10664439c2fb",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
"description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
"modified": "2026-02-10T06:05:39.764000",
"created": "2025-12-13T03:24:11.414000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6962d43456bb524b17e9d5ce",
"name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ",
"description": "",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T22:35:32.582000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6962bb143187f7cb571ef6f5",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "mailstack.sbs",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "mailstack.sbs",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776611475.5707817
}