{
"type": "Domain",
"indicator": "messagingengine.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/messagingengine.com",
"alexa": "http://www.alexa.com/siteinfo/messagingengine.com",
"indicator": "messagingengine.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 2781619112,
"indicator": "messagingengine.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 29,
"pulses": [
{
"id": "69a1535debec4128ab952040",
"name": "I See You, Too. #.icu",
"description": "The NSV4-ICU campaign exhibits a profound cryptographic and linguistic mismatch betokening a Western operator driving a foreign engine. While the tactical codebase utilizes GBK-encoded (Simplified Chinese) metadata, the binary logs reveal a definitive tradecraft failure: the presence of \u00ba\u00c3\u00b0\u00c9 (H\u01ceo ba), a conversational \"Alrighty.\" This is likely a failed attempt to utilize a foreign language on a Western-localized screen, resulting in \"Mojibake\" (garbage text) and the semantic error of identifying the developer as a \"Novelist\" (Zu\u00f2zh\u011b) rather than a \"Programmer.\"\nBy stripping Western UTF-8 telemetry through spoofed Nashville (BNA) and Apple/Google thumbprints, the operator confirms Local Root CA injection and a manual interception pipeline. The .icu (I See You) signature is ultimately undermined by the operator's own metadata\u2014effectively a Westerner shouting in a digital dialect they don't speak, creating a detectable encoding-latency signature that peels back the \"invisible typhoon\" mask.",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-02-27T08:18:37.071000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 294,
"CVE": 22,
"URL": 278,
"FileHash-MD5": 234,
"FileHash-SHA1": 240,
"FileHash-SHA256": 1663,
"hostname": 142,
"YARA": 1,
"email": 13,
"CIDR": 2
},
"indicator_count": 2889,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6962d43456bb524b17e9d5ce",
"name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ",
"description": "",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T22:35:32.582000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6962bb143187f7cb571ef6f5",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6962bb143187f7cb571ef6f5",
"name": "Pahamify Pegasus",
"description": "Hmmm, only able to manually add IOC\u2019s after last pulse.\n\nPulse: Pahamify Pegasus - Apple IOC\u2019s",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T20:48:20.438000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69312c4db6fe7eb34abd179d",
"name": "BeeLineRouter.Net \u2022 Apple \u2022 Worms \u2022 Ransom \u2022 SpyWare",
"description": "Direct- remotely accesses iOS devices. Same threat actors. Further research warranted.| \n\n#theyswarm #apple #worms #spyware #ransom #quasi",
"modified": "2026-01-03T05:02:11.376000",
"created": "2025-12-04T06:38:05.504000",
"tags": [
"worm",
"readme.exe",
"foto.pif",
"z1nic.exe",
"dynamicloader",
"high",
"windows",
"checks",
"named pipe",
"http traffic",
"ids detections",
"yara detections",
"alerts",
"launch",
"defense evasion",
"ta0005",
"files",
"msie",
"next dropped",
"process name",
"pe32",
"intel",
"ms windows",
"unknown",
"united",
"tlsv1",
"as14618",
"top source",
"top destination",
"port",
"destination",
"source source",
"matches rule",
"hidden file",
"extension",
"connection",
"http vary",
"tulach",
"url https",
"indicator role",
"active related",
"ipv4",
"url http",
"macintosh",
"intel mac",
"os x",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"bq dec",
"virtool",
"win32mydoom dec",
"trojan",
"win32cve dec",
"avast avg",
"mtb dec",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"ff d5",
"yara rule",
"ascii text",
"f0 ff",
"eb e1",
"write",
"malware",
"suspicious",
"observed dns",
"query",
"exploits",
"sid name",
"malware cve",
"exif data",
"show",
"value exe",
"next",
"all ipv4",
"pulse pulses",
"passive dns",
"urls",
"reverse dns",
"location united",
"america flag",
"ashburn",
"status",
"name servers",
"ip address",
"showing",
"domain",
"files ip",
"windows nt",
"slcc2",
"media center",
"medium",
"simda",
"internal",
"local",
"write c",
"domain add",
"ip whois",
"registrar",
"hostname",
"present jul",
"unknown ns",
"present dec",
"music",
"servers",
"hostname add",
"pulse submit",
"url analysis",
"aaaa",
"backdoor",
"entries",
"found",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"record value",
"emails",
"win32",
"mtb may",
"invalid url",
"ransom",
"trojanspy",
"msil",
"akamai",
"expiration date",
"body html",
"present nov",
"url add",
"http",
"files domain",
"files related",
"pulses none",
"related tags",
"present sep",
"present oct",
"flag",
"analysis tip",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"date",
"domain address",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"network traffic",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"t1566",
"submitted url",
"t1204",
"learn",
"name tactics",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"pattern match",
"show process",
"t1071",
"t1057",
"general",
"path",
"brian sabey",
"christopher p ahmann",
"quasi",
"foundry",
"helix",
"remote attacks",
"hit men",
"sreredrum",
"pleh"
],
"references": [
"apple.com \u2022 getsupport.apple.com \u2022",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"http://beelinerouter.net/",
"Tulach - 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry.com \u2022 helix. com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Fadok!rfn",
"display_name": "Worm:Win32/Fadok!rfn",
"target": "/malware/Worm:Win32/Fadok!rfn"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Mydoom",
"display_name": "Mydoom",
"target": null
},
{
"id": "Win.Spyware.88778-2",
"display_name": "Win.Spyware.88778-2",
"target": null
},
{
"id": "Win.Malware.Delf-10008156-0",
"display_name": "Win.Malware.Delf-10008156-0",
"target": null
},
{
"id": "Trojan.MyDoom/Muldrop",
"display_name": "Trojan.MyDoom/Muldrop",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1578",
"name": "Modify Cloud Compute Infrastructure",
"display_name": "T1578 - Modify Cloud Compute Infrastructure"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 422,
"FileHash-SHA1": 316,
"FileHash-SHA256": 1950,
"domain": 899,
"URL": 6117,
"email": 21,
"hostname": 2037,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 11765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6905d40f781d7d58d4021a20",
"name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.",
"description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.",
"modified": "2025-12-20T06:00:23.758000",
"created": "2025-11-01T09:34:07.323000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8332,
"domain": 4819,
"hostname": 2165,
"FileHash-SHA256": 7369,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 23637,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "120 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69137ee5d76d486d65396af0",
"name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-11T18:22:29.976000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6906c12b1dd6a64ab1beaa55",
"name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-02T02:25:47.431000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ee5ea4d51d4a1cabdb4ee9",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:31:00.172000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ee5e9f8cfc5fbc73142660",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:30:55.471000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68edc1c2be848e73a32ab9ba",
"name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk",
"description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related",
"modified": "2025-11-13T02:02:12.454000",
"created": "2025-10-14T03:21:38.305000",
"tags": [
"pulses ipv4",
"ipv4",
"div div",
"united",
"script script",
"a li",
"present jul",
"param",
"entries",
"present aug",
"certificate",
"global domains",
"date",
"title",
"class",
"meta",
"agent",
"stack",
"life",
"a domains",
"passive dns",
"urls",
"ok server",
"gmt content",
"type",
"hostname add",
"pulse pulses",
"files",
"win32mydoom oct",
"trojan",
"next associated",
"pulse",
"reverse dns",
"twitter",
"body",
"dynamicloader",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"unknown",
"copy",
"write",
"malware",
"push",
"next",
"autorun",
"suspicious",
"ip address",
"unknown ns",
"unknown aaaa",
"ipv4 add",
"location united",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ck id",
"show technique",
"mitre att",
"path",
"error",
"fatalerror",
"general",
"hybrid",
"local",
"click",
"strings",
"filehashsha256",
"filehashmd5",
"filehashsha1",
"iist",
"malware family",
"mydoom att",
"ck ids",
"t1060",
"run keys",
"indicator role",
"title added",
"active related",
"showing",
"url https",
"url http",
"startup",
"folder",
"web protocols",
"t1105",
"tool transfer",
"indicators hong",
"kong",
"china",
"germany",
"australia",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"wire",
"t1071"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1022",
"name": "Data Encrypted",
"display_name": "T1022 - Data Encrypted"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1525",
"name": "Implant Internal Image",
"display_name": "T1525 - Implant Internal Image"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2724,
"hostname": 1212,
"domain": 410,
"FileHash-MD5": 408,
"email": 9,
"FileHash-SHA256": 604,
"FileHash-SHA1": 307
},
"indicator_count": 5674,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d7d8ee2caff74a1759380a",
"name": "Quasar - DiabloFans.com ( packed) how a YouTube follow turned into a 12 year campaign of fear & intimidation",
"description": "Packed with malware, rats, droppers, bots, info stealers diablofans.com matches targets description of how attack began in 10.2013. Egregious patient abuse led national medical corporation and / or quasi entity involved to attack / silence victim. Within 48 hours of disclosure\nof events causing victim to stop treating a Guy Fawkes profile with satanic name became\nvictims YouTube follower beginning 12 year + cyber warfare attack against crime victim. Overseeing MD prompted an investigation, told target she would be targeted and to hide. The website appears to be a front for very malicious activities. Several network attack began a destructive campaign against target. Many attacks and websites , parking crews involved. All tags auto populated. Many fear tactics & attempts. . | Description: For years, DiabloFans served as a major community hub for discussing Diablo III, posting news, and sharing character builds. (shutdown? sold to curse.llc?)",
"modified": "2025-10-27T11:02:05.642000",
"created": "2025-09-27T12:30:38.161000",
"tags": [
"diablo",
"builds",
"sanctuary",
"season",
"diablo immortal",
"forums",
"interactive map",
"diablo iii",
"environ",
"trier par",
"hunt",
"chaos",
"altar",
"facebook",
"hunter",
"data redacted",
"server",
"registrar abuse",
"registrant fax",
"contact phone",
"registrar url",
"admin city",
"admin country",
"record type",
"ttl value",
"thumbprint",
"gandi sas",
"gandi",
"cloudflare",
"span",
"pattern match",
"getprocaddress",
"script",
"found https",
"path",
"ck id",
"magic",
"life",
"astaroth",
"damage",
"meta",
"lucky",
"open",
"footer",
"ladder",
"rogue",
"iframe",
"title",
"hell",
"blizzard",
"fear",
"class",
"nightmare",
"june",
"comment",
"reload",
"twitch",
"hawk",
"hydra",
"energy",
"school",
"pass",
"beast",
"maker",
"corpse",
"chat",
"hatred",
"critical",
"mephisto",
"back",
"form",
"druid",
"shadow",
"scoundrel",
"core",
"stone",
"freeze",
"light",
"speed",
"poison",
"conduit",
"charm",
"lightning",
"close",
"fury",
"steam",
"blast",
"raven",
"wave",
"horn",
"team",
"knight",
"elite",
"warp",
"premium",
"realm",
"skull",
"general",
"tracker",
"arcane",
"basilisk",
"prayer",
"black",
"soul",
"saboteur",
"bone",
"exploit",
"carnage",
"hellspawn",
"ultimate",
"spark",
"slow",
"frozen",
"immortal",
"feast",
"entropy",
"crazy",
"dead",
"heat",
"explosive",
"blaze",
"solar",
"harmony",
"attack",
"stealth",
"shell",
"mother",
"overkill",
"rage",
"werewolf",
"service",
"anomaly",
"drop",
"eclipse",
"android",
"wind",
"spirit",
"face",
"fractured",
"pandora",
"strange",
"demon",
"eternal",
"crystal",
"cold",
"false",
"window",
"format",
"click",
"strings",
"comi",
"sector",
"learn",
"adversaries",
"calls",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"reads",
"command",
"model",
"stop",
"spawns",
"development att",
"flag",
"name server",
"canada canada",
"united",
"enom",
"redacted for",
"privacy name",
"organization",
"script urls",
"name servers",
"a domains",
"emails",
"unknown ns",
"sweet heart",
"sec ch",
"media",
"encrypt",
"passive dns",
"next associated",
"ipv4 add",
"urls",
"files",
"hosting",
"reverse dns",
"dynamicloader",
"high",
"medium",
"windows",
"displayname",
"tofsee",
"yara rule",
"loaderid",
"startsrv",
"lidfileupd",
"stream",
"port",
"destination",
"win64",
"write",
"malware",
"ip address",
"domain",
"hostname add",
"search",
"packing t1045",
"module load",
"delete",
"write c",
"trojan",
"win32",
"next",
"dns query",
"icmp traffic",
"moved",
"servers",
"germany unknown",
"present mar",
"accept",
"gmt content",
"a li",
"main",
"error",
"lowfi",
"present aug",
"present sep",
"present jul",
"unknown aaaa",
"record value",
"content type",
"htm align",
"param",
"gmt server",
"france",
"france unknown",
"url analysis",
"location france",
"langchinese",
"rticon",
"pe resource",
"t1045",
"ascii text",
"cape",
"delete c",
"redline malware",
"guard",
"redline",
"defender",
"push",
"backdoor",
"present apr",
"trojandropper",
"dns resolutions",
"smoke loader",
"hacktool",
"windows auto",
"attempts",
"explorer",
"win32autoit mar",
"location united",
"ip whois",
"verdict",
"entries",
"aaaa",
"domain add",
"present feb",
"present oct",
"users",
"yara detections",
"recycle bin",
"pe section",
"as54113",
"read",
"copy",
"ufffduf1a3",
"looks",
"xrat1",
"quasar",
"powershell",
"code",
"ids detections",
"tls sni",
"contacted",
"installs",
"checks",
"windows startup",
"vendor finding",
"notes clamav",
"files matching",
"number",
"http request",
"post",
"url host",
"port method",
"user agent",
"internalsapiip",
"okrnserver",
"ubuntu",
"hash",
"alerts",
"present jun",
"mtb jun",
"date",
"cname",
"creation date",
"ukraine"
],
"references": [
"DiabloFans.com",
"Every tag OTC auto populated . Crazy talk. Please see Mitre ATT&CK",
"twitter.com \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 www.pornhub.com \u2022 oriental-porno.lat",
"https://pin.it/ \u2022 pin.it a fake Pinterest for Tsara Brashears",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
"http://www.sweetheartvideo.com/tsara-brashears \u2022 https://www.sweetheartvideo.com/tsara-brashears",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing \u2022 www.anyxxxtube.net",
"init.ess.apple.com \u2022otc.greatcall.com (phone manipulators) \u2022 mailtrack.io \u2022 https://trackacourier.net",
"https://www.youtube-nocookie.com/embed/6w5ukhqvtmq",
"https://www.youtube.com \u2022 https://www.youtube.com/user/CurseDiablofans",
"https://www.youtube-nocookie.com/embed/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win32:CrypterX-gen\\ [Trj]",
"display_name": "Win32:CrypterX-gen\\ [Trj]",
"target": null
},
{
"id": "ALF:Trojan:Win32/VTFlooder",
"display_name": "ALF:Trojan:Win32/VTFlooder",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Smoke Loader",
"display_name": "Smoke Loader",
"target": null
},
{
"id": "Win.Dropper.Vbclone-10036195-0",
"display_name": "Win.Dropper.Vbclone-10036195-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Worm:Win32/Vobfus",
"display_name": "ALF:HeraklezEval:Worm:Win32/Vobfus",
"target": null
},
{
"id": "Trojan:Win32/Danabot",
"display_name": "Trojan:Win32/Danabot",
"target": "/malware/Trojan:Win32/Danabot"
},
{
"id": "ALF:Trojan:Win32/G3nasom!imp",
"display_name": "ALF:Trojan:Win32/G3nasom!imp",
"target": null
},
{
"id": "Unidentified 083 (AutoIT Stealer)",
"display_name": "Unidentified 083 (AutoIT Stealer)",
"target": null
},
{
"id": "Quasar",
"display_name": "Quasar",
"target": null
}
],
"attack_ids": [
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1201",
"name": "Password Policy Discovery",
"display_name": "T1201 - Password Policy Discovery"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1585.001",
"name": "Social Media Accounts",
"display_name": "T1585.001 - Social Media Accounts"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 656,
"FileHash-SHA256": 2354,
"hostname": 499,
"URL": 1319,
"email": 21,
"FileHash-MD5": 766,
"FileHash-SHA1": 748,
"SSLCertFingerprint": 10
},
"indicator_count": 6373,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "174 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6894fd48178a2cc0c287af71",
"name": "Polymorphic | Worm & Trojan:Win32/Mydoom. IoC\u2019s + | Device local *Remowted.com",
"description": "",
"modified": "2025-09-06T19:01:20.165000",
"created": "2025-08-07T19:23:52.346000",
"tags": [
"filehashmd5",
"indicator role",
"title added",
"active related",
"filehashsha256",
"t1105",
"tool transfer",
"t1480",
"guardrails",
"t1566",
"t1568",
"t1012",
"t1023",
"t1031",
"service",
"filehashsha1",
"iocs",
"learn more",
"hostname",
"types of",
"netherlands",
"united",
"denmark",
"belgium",
"dynamicloader",
"yara rule",
"vmdetect",
"write c",
"search",
"medium",
"show",
"entries",
"high",
"worm",
"copy",
"write",
"unknown",
"markus",
"malware",
"suspicious",
"crlf line",
"unicode text",
"utf8",
"ascii text",
"trojan",
"music",
"next",
"autorun"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 221,
"FileHash-SHA1": 129,
"FileHash-SHA256": 713,
"URL": 2616,
"domain": 338,
"hostname": 598,
"email": 7
},
"indicator_count": 4622,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "224 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66fc29a49b5ac693c8d75122",
"name": "Medical Campus - Aurora, Co | Recheck",
"description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB",
"modified": "2024-10-31T16:03:52.240000",
"created": "2024-10-01T16:56:04.004000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3850,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3329,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31779,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "535 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66b4cf3679de69dec5a958e6",
"name": "X.com Impacting Azure with Miscellaneous attacks, targeting, fraud",
"description": "Impacting Azure\nx.com - Google Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO,etc\nGoogle Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO,etc\n Auto populated:\"North Bay Python\" is a web address that allows users to connect to the website via a secure link, using a third-party server, or a \"third party\" service..",
"modified": "2024-09-12T00:49:28.639000",
"created": "2024-08-08T13:59:18.768000",
"tags": [
"a domains",
"search",
"passive dns",
"urls",
"gandi sas",
"creation date",
"record value",
"name servers",
"dnssec",
"date",
"unknown",
"next",
"contact",
"contacted",
"canada",
"ca issuuer",
"aaaa",
"samuel tulach topics",
"registrar abuse",
"servers",
"python",
"code"
],
"references": [
"Sourced from: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm",
"2018.northbaypython.org",
"https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm",
"malwareprotectionlive.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 23,
"FileHash-MD5": 4,
"domain": 116,
"URL": 15,
"email": 2,
"FileHash-SHA256": 20
},
"indicator_count": 180,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "584 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66933b9c8be1a5b9e24de941",
"name": "Worm:Win32/Enosch - Affecting YouTube, Google and more",
"description": "",
"modified": "2024-08-13T02:01:24.759000",
"created": "2024-07-14T02:44:44.457000",
"tags": [
"june",
"october",
"july",
"tracking",
"december",
"apple ios",
"relacionada",
"partru",
"plugx",
"cryptbot",
"hacktool",
"lockbit",
"as8075",
"united",
"slot1",
"mascore2",
"bcnt1",
"nct1",
"arc1",
"ems1",
"auth1",
"localeenus",
"date",
"default",
"show",
"regsetvalueexa",
"search",
"regdword",
"medium",
"settingswpad",
"delete",
"ids detections",
"yara detections",
"worm",
"malware",
"copy",
"write",
"win32",
"unknown",
"asnone united",
"as14061",
"status",
"creation date",
"name servers",
"cname",
"next",
"passive dns",
"as15169 google",
"gmt cache",
"sameorigin",
"443 ma2592000",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"as63949 linode",
"html",
"gmt content",
"moved",
"encrypt",
"body",
"record value",
"emails",
"domain name",
"error",
"code",
"algorithm",
"key usage",
"v3 serial",
"number",
"public key",
"info",
"key algorithm",
"subject key",
"identifier",
"x509v3 crl",
"first",
"as6185 apple",
"japan",
"as8068",
"as714 apple",
"aaaa",
"as32244 liquid",
"nxdomain",
"as44273 host",
"script urls",
"meta",
"as31154 toyota",
"belgium unknown",
"belgium",
"pulse submit",
"url analysis",
"win32 exe",
"android",
"servers",
"files",
"name",
"domain",
"ashley",
"sylvia",
"sonja",
"file type",
"karin",
"gina",
"christine",
"kathrin",
"sandy"
],
"references": [
"http://www.google.com/images/errors/robot.png",
"beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com",
"nr-data.net [Apple Private Data Collection]",
"47.courier-push-apple.com.akadns.net",
"Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn",
"IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants",
"Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer",
"Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger",
"Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc",
"Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5",
"Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Worm:Win32/Enosch!atmn",
"display_name": "Worm:Win32/Enosch!atmn",
"target": "/malware/Worm:Win32/Enosch!atmn"
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Media",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 146,
"FileHash-SHA1": 126,
"FileHash-SHA256": 1422,
"URL": 377,
"domain": 889,
"hostname": 418,
"SSLCertFingerprint": 1,
"email": 10
},
"indicator_count": 3389,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "614 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6681f23173d69e5173518010",
"name": "Tracking ",
"description": "",
"modified": "2024-07-30T16:00:57.143000",
"created": "2024-07-01T00:02:57.668000",
"tags": [
"historical ssl",
"referrer",
"urls",
"analyzer paste",
"iocs",
"hostnames",
"urls http",
"samples",
"generic malware",
"tag count",
"wed aug",
"analyzer threat",
"url summary",
"ip summary",
"summary",
"sample",
"cisco umbrella",
"site",
"malware",
"alexa top",
"safe site",
"million",
"malicious url",
"internet storm",
"team top",
"team",
"suppobox",
"united",
"mail spammer",
"cyber threat",
"phishing",
"coalition",
"malicious site",
"download",
"phishing site",
"telefonica co",
"kuaizip",
"unsafe",
"riskware",
"unknown",
"win32",
"kukacka jan",
"creation date",
"search",
"emails",
"date",
"entries",
"scan endpoints",
"as46606",
"title",
"passive dns",
"body doctype",
"meta",
"gmt max",
"age7200 path",
"upgrade",
"apache",
"as44273 host",
"all scoreblue",
"pulse pulses",
"files",
"ip address",
"asn as16509",
"germany unknown",
"bq jun",
"virtool",
"ipv4",
"main",
"trojandropper",
"artro",
"script urls",
"link",
"script script",
"div div",
"xl div",
"div section",
"script domains",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"httponly",
"gmt connection",
"html info",
"title launch"
],
"references": [
"http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11",
"http://takenlive.net/index.php | takenlive.net | batteam.live | fireyes.live | liveatparkwestapts.com",
"Backdoor:Win32/Hupigon: FileHash-SHA256 22267dd9da3b0b46619ff2f2195a02e0f590a47a1dffa4d32f01f598f40cc5c0",
"Backdoor:Win32/Hupigon: FileHash-MD5 7ef28ab7959a5178b736ec834a23443e",
"Backdoor:Win32/Hupigon: FileHash-SHA1 658c279b656a03d8e3fc7f5ee02fcfd937669b2d",
"Backdoor:Win32/Hupigon: FileHash-SHA256 0c293dc93ff72f5034c821a0582a67695d7eaf25faf3f8e7d118005c47aef9b0",
"Kukacka: FileHash-SHA256 be22fb844f7017b1d01bdff406f0b398fcfeb9a088cb6c4616854d38dbd36bfa",
"Kukacka: FileHash-SHA1 81740fc245050465a6c85023c18da7b0525eba53",
"Kukacka: FileHash-MD5 d52015668162856eef29d99ea3ec7f7a",
"IDS Detections: Win32.Renos/Artro Trojan Checkin M1 W32/Hicrazyk.A Downloader Install CnC Beacon Win32.Lollipop.R Checkin M2 Win32.Lollipop.R Checkin",
"IDS Detections: CryptoWall Check-in Long Fake wget 3.0 User-Agent Detected Win32.Sality-GR Checkin Win32/Nuclear Checkin",
"IDS Detections: Win32/Nuclear Checkin Potentially Unwanted Application AirInstaller PUP.Uniblue Checkin",
"Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Sabsik.TE.A!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 ,",
"Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Zombie.A , ALF:Trojan:Win32/Cassini_f28c33a2!ibt , Backdoor:Win32/Hupigon , Backdoor:Win32/Simda , Backdoor:Win32/Simda!rfn , Backdoor:Win32/Simda.gen!A , Backdoor:Win32/Simda.gen!B ,",
"https://clickndownload.link/iatzq4q773mo/On.Patrol.Live.S02E74.HDTV.h264-RBB.mp4.html",
"TrojanDropper:Win32/Hupigon.gen!A: 0c293dc93ff72f5034c821a0582a67695d7eaf25faf3f8e7d118005c47aef9b0 [Can't access file]",
"http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11",
"tracking.minitool.com trackeffect.lol",
"https://otx.alienvault.com/indicator/ip/3.64.163.50"
],
"public": 1,
"adversary": "SALTY SPIDER",
"targeted_countries": [],
"malware_families": [
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Backdoor:Win32/Hupigon",
"display_name": "Backdoor:Win32/Hupigon",
"target": "/malware/Backdoor:Win32/Hupigon"
},
{
"id": "Kukacka",
"display_name": "Kukacka",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "66819ecbe1f78dd45a69a703",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 648,
"FileHash-SHA1": 367,
"FileHash-SHA256": 688,
"URL": 435,
"domain": 544,
"hostname": 329,
"CVE": 1,
"email": 4
},
"indicator_count": 3016,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "628 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66819ecbe1f78dd45a69a703",
"name": "Tracking",
"description": "Tracking, spying, pursuit, filming",
"modified": "2024-07-30T16:00:57.143000",
"created": "2024-06-30T18:07:07.738000",
"tags": [
"historical ssl",
"referrer",
"urls",
"analyzer paste",
"iocs",
"hostnames",
"urls http",
"samples",
"generic malware",
"tag count",
"wed aug",
"analyzer threat",
"url summary",
"ip summary",
"summary",
"sample",
"cisco umbrella",
"site",
"malware",
"alexa top",
"safe site",
"million",
"malicious url",
"internet storm",
"team top",
"team",
"suppobox",
"united",
"mail spammer",
"cyber threat",
"phishing",
"coalition",
"malicious site",
"download",
"phishing site",
"telefonica co",
"kuaizip",
"unsafe",
"riskware",
"unknown",
"win32",
"kukacka jan",
"creation date",
"search",
"emails",
"date",
"entries",
"scan endpoints",
"as46606",
"title",
"passive dns",
"body doctype",
"meta",
"gmt max",
"age7200 path",
"upgrade",
"apache",
"as44273 host",
"all scoreblue",
"pulse pulses",
"files",
"ip address",
"asn as16509",
"germany unknown",
"bq jun",
"virtool",
"ipv4",
"main",
"trojandropper",
"artro",
"script urls",
"link",
"script script",
"div div",
"xl div",
"div section",
"script domains",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"httponly",
"gmt connection",
"html info",
"title launch"
],
"references": [
"http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11",
"http://takenlive.net/index.php | takenlive.net | batteam.live | fireyes.live | liveatparkwestapts.com",
"Backdoor:Win32/Hupigon: FileHash-SHA256 22267dd9da3b0b46619ff2f2195a02e0f590a47a1dffa4d32f01f598f40cc5c0",
"Backdoor:Win32/Hupigon: FileHash-MD5 7ef28ab7959a5178b736ec834a23443e",
"Backdoor:Win32/Hupigon: FileHash-SHA1 658c279b656a03d8e3fc7f5ee02fcfd937669b2d",
"Backdoor:Win32/Hupigon: FileHash-SHA256 0c293dc93ff72f5034c821a0582a67695d7eaf25faf3f8e7d118005c47aef9b0",
"Kukacka: FileHash-SHA256 be22fb844f7017b1d01bdff406f0b398fcfeb9a088cb6c4616854d38dbd36bfa",
"Kukacka: FileHash-SHA1 81740fc245050465a6c85023c18da7b0525eba53",
"Kukacka: FileHash-MD5 d52015668162856eef29d99ea3ec7f7a",
"IDS Detections: Win32.Renos/Artro Trojan Checkin M1 W32/Hicrazyk.A Downloader Install CnC Beacon Win32.Lollipop.R Checkin M2 Win32.Lollipop.R Checkin",
"IDS Detections: CryptoWall Check-in Long Fake wget 3.0 User-Agent Detected Win32.Sality-GR Checkin Win32/Nuclear Checkin",
"IDS Detections: Win32/Nuclear Checkin Potentially Unwanted Application AirInstaller PUP.Uniblue Checkin",
"Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Sabsik.TE.A!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 ,",
"Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Zombie.A , ALF:Trojan:Win32/Cassini_f28c33a2!ibt , Backdoor:Win32/Hupigon , Backdoor:Win32/Simda , Backdoor:Win32/Simda!rfn , Backdoor:Win32/Simda.gen!A , Backdoor:Win32/Simda.gen!B ,",
"https://clickndownload.link/iatzq4q773mo/On.Patrol.Live.S02E74.HDTV.h264-RBB.mp4.html",
"TrojanDropper:Win32/Hupigon.gen!A: 0c293dc93ff72f5034c821a0582a67695d7eaf25faf3f8e7d118005c47aef9b0 [Can't access file]",
"http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11",
"tracking.minitool.com trackeffect.lol",
"https://otx.alienvault.com/indicator/ip/3.64.163.50"
],
"public": 1,
"adversary": "SALTY SPIDER",
"targeted_countries": [],
"malware_families": [
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Backdoor:Win32/Hupigon",
"display_name": "Backdoor:Win32/Hupigon",
"target": "/malware/Backdoor:Win32/Hupigon"
},
{
"id": "Kukacka",
"display_name": "Kukacka",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 648,
"FileHash-SHA1": 367,
"FileHash-SHA256": 688,
"URL": 435,
"domain": 544,
"hostname": 329,
"CVE": 1,
"email": 4
},
"indicator_count": 3016,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "628 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "665ec0cfd110b0694c51fbe2",
"name": "Eset - Dorkbot",
"description": "Dorkbot a self-propagating program that can spread itself from one computer to another threatening to perform numerous f actions of a malicious hacker's choice on PC. Found on an updated windows machine. Hacker named machine, installed apple viewing software programs, partitioned 'zombie' machine. Network of compromised, sketchy remote transfer agents of a professional in the service industry. Serious impact on or companies impact on remote workers contracted by company in question due to the abrupt cessation of business of a recognized brand it's industry. Unfortunately, the documentation of this Eset programs behavior has been misplaced. From recall. this install identified and allowed threats, d. It was a weird see with the names eye experience. Incoming request/ Remote operators, disallowed many transactions and other basic use of software. Workers potentially working a database from individuals whose PII & PHI was leaked.",
"modified": "2024-07-04T06:01:28.799000",
"created": "2024-06-04T07:22:55.572000",
"tags": [
"historical ssl",
"referrer",
"algorithm",
"v3 serial",
"number",
"cus cnamazon",
"validity",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"first",
"server",
"registrar abuse",
"date",
"csl computer",
"gmbh dba",
"contact phone",
"domain status",
"registrar url",
"registrar whois",
"contact email",
"code",
"united",
"unknown",
"aaaa",
"as14061",
"cname",
"search",
"emails",
"dnssec",
"showing",
"win32",
"title error",
"passive dns",
"open ports",
"trojan",
"body doctype",
"html public",
"w3cdtd html",
"body",
"dns replication",
"domain",
"lookups",
"email",
"name server",
"slovensko",
"tech contact",
"valid",
"admin contact",
"a domains",
"a li",
"span h3",
"header link",
"option option",
"united kingdom",
"test",
"april",
"meta",
"paris",
"eset",
"yara detections",
"nod32",
"amon",
"internalname",
"online payment",
"scan endpoints",
"all scoreblue",
"filehash",
"pulse pulses",
"amz cf",
"creation date",
"record value",
"expiration date",
"name servers",
"servers",
"status",
"next",
"asnone united",
"moved",
"certificate",
"ipv4",
"urls",
"files",
"av detections",
"ids detections",
"alerts",
"analysis date",
"cf2a",
"xaax04x00",
"high",
"dns reply",
"noip domain",
"et trojan",
"createsuspended",
"malware traffic",
"dorkbot",
"malware",
"copy",
"name verdict",
"falcon sandbox",
"windows nt",
"appdata",
"png image",
"pattern match",
"indicator",
"ascii text",
"rgba",
"get collect",
"vj98",
"hybrid",
"general",
"local",
"click",
"strings",
"path",
"ms windows",
"pe32",
"intel",
"microsoft asf",
"pe32 executable",
"database",
"english",
"installer",
"template",
"tue jun",
"service",
"crlf line",
"url https",
"http",
"ip address",
"related nids",
"files location",
"tip"
],
"references": [
"bpp.eset.com",
"IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP",
"IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake",
"High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication",
"High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory",
"High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .",
"IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99",
"Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru",
"https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778",
"Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer",
"https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E",
"appleremotesupport.com | http://thickapple.net/index.php",
"https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3",
"https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png",
"https://appleid-verify.servecounterstrike.com/",
"http://schoolgirl.uxxxporn.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:GenMalicious-KAG\\ [Trj]",
"display_name": "Win32:GenMalicious-KAG\\ [Trj]",
"target": null
},
{
"id": ", Win.Trojan.Agent-1286703",
"display_name": ", Win.Trojan.Agent-1286703",
"target": null
},
{
"id": "Trojan:Win32/DorkBot.DU",
"display_name": "Trojan:Win32/DorkBot.DU",
"target": "/malware/Trojan:Win32/DorkBot.DU"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win.Trojan.Cosmu-1058",
"display_name": "Win.Trojan.Cosmu-1058",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
}
],
"industries": [
"Finance",
"Healthcare",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 758,
"FileHash-SHA1": 478,
"FileHash-SHA256": 2561,
"URL": 8210,
"domain": 2202,
"hostname": 2760,
"email": 22,
"CVE": 3
},
"indicator_count": 16994,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "654 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65cd05cd3c9d0cc0b9ed215f",
"name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender",
"description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.",
"modified": "2024-04-15T08:03:32.381000",
"created": "2024-02-14T18:26:21.427000",
"tags": [
"united",
"unknown",
"status",
"sec ch",
"as44273 host",
"search",
"aaaa",
"showing",
"ch ua",
"record value",
"ssl certificate",
"threat roundup",
"contacted",
"communicating",
"historical ssl",
"referrer",
"resolutions",
"http",
"execution",
"gopher",
"pattern match",
"breakpoint",
"command decode",
"desktop",
"base",
"gambino",
"pizza",
"suricata ipv4",
"mitre att",
"date",
"meta",
"footer",
"february",
"general",
"model",
"comspec",
"click",
"strings",
"main",
"brian sabey",
"hallrender",
"trojan",
"worm",
"frankfurt",
"germany",
"asn15169",
"google",
"asn16509",
"amazon02",
"asn396982",
"kansas city",
"franchise url",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"reverse dns",
"general full",
"url https",
"resource",
"hash",
"protocol h2",
"asn13335",
"cloudflarenet",
"software",
"domains",
"hashes",
"learn",
"issues tab",
"value",
"variables",
"typeof function",
"topropertykey",
"bricksintersect",
"bricksfunction",
"domainpath name",
"request chain",
"chain",
"nl page",
"url history",
"javascript",
"page url",
"redirected",
"poweshell",
"bruschettab",
"mobsterstageda",
"calzonec",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"beefpizzac",
"superitaliansub",
"cname",
"msie",
"chrome",
"asnone united",
"as6336 turn",
"nxdomain",
"whitelisted",
"creation date",
"turn",
"body",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"registrar abuse",
"iana id",
"registrar url",
"registrar whois",
"contact email",
"registry domain",
"contact phone",
"dnssec",
"code",
"type name",
"win32 exe",
"recreation",
"whois record",
"infected",
"page dow",
"poser",
"scammer",
"security",
"malvertizing",
"betting",
"illegal activity",
"linux",
"teen porn",
"child exploitation",
"script urls",
"a domains",
"as10796 charter",
"find your",
"next franchise",
"x content",
"backend",
"as13768 aptum",
"moved",
"passive dns",
"urls",
"as2635",
"as14061",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"ip address",
"related nids",
"files location",
"date hash",
"avast avg",
"nastya",
"entries",
"emotet",
"windows nt",
"show",
"etpro trojan",
"channel",
"artemis",
"medium",
"delete",
"copy",
"virustotal",
"trojan",
"write",
"trojanproxy",
"vipre",
"panda",
"malware",
"malware infection",
"dga",
"algorithm generated domains",
"command and control",
"pe32 executable",
"tag",
"tagging",
"porn tagging",
"as3356 level",
"tahoma arial",
"servers",
"as1136 kpn",
"next",
"et",
"remote",
"confirm http",
"sectrack",
"openssl",
"fulldisc",
"secunia",
"confirm https",
"openssl tls",
"multiple",
"remote",
"misc https",
"impact",
"heartbleed",
"external source",
"name hyperlink",
"hp hpsbmu02998",
"hp hpsbmu03019",
"hp hpsbmu03030",
"hp hpsbmu03018",
"title",
"lowfi",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"mozilla",
"720.282.2025",
"masquerading",
"ninite feb",
"mtb feb",
"telper",
"trojandropper",
"ninite",
"create c",
"read c",
"default",
"create",
"unicode",
"dock",
"xport"
],
"references": [
"www.gambinospizza.com",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"http://porn.toplistcreator.eu/in.php",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "XLS:Nastya\\ [Trj]",
"display_name": "XLS:Nastya\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Crypt4.YGM",
"display_name": "Crypt4.YGM",
"target": null
},
{
"id": "ZBot",
"display_name": "ZBot",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Heartbleed Bug",
"display_name": "Heartbleed Bug",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 59,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 118,
"FileHash-SHA1": 106,
"domain": 3271,
"hostname": 2451,
"URL": 8652,
"email": 8,
"FileHash-SHA256": 3153,
"CVE": 4
},
"indicator_count": 17763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "734 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65eb9b25110526c6b2a0ada5",
"name": "VirTool:MSIL/CryptInject.CF!MTB | Rexxfield? Weird stuff",
"description": "",
"modified": "2024-03-08T23:11:33.426000",
"created": "2024-03-08T23:11:33.426000",
"tags": [
"threat",
"feeds ioc",
"new ioc",
"teams api",
"contact",
"paste",
"iocs",
"analyze",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"whois whois",
"communicating",
"contacted",
"family",
"roots",
"lolkek",
"redline stealer",
"hacktool",
"html info",
"title rexxfield",
"services",
"identify",
"meta tags",
"rexxfield cyber",
"investigation",
"divi child",
"site kit",
"google",
"united",
"unknown",
"as24940 hetzner",
"germany unknown",
"passive dns",
"urls",
"title",
"moved",
"scan endpoints",
"all octoseek",
"body",
"cyber stalking",
"pornographer",
"urls url",
"files",
"ip address",
"execution",
"metro",
"medium",
"show",
"search",
"ids detections",
"yara detections",
"win32",
"ppi useragent",
"installcapital",
"http",
"packing t1045",
"malware",
"write",
"obsession",
"malvertizing",
"masquerading",
"ipv4",
"pulse submit",
"url analysis",
"cookie",
"status",
"domain",
"creation date",
"trojan",
"date",
"expiration date",
"name servers",
"trojanclicker",
"encrypt",
"error",
"ransomware",
"malware generator",
"meta",
"for privacy",
"aaaa",
"komodo",
"asnone united",
"alfper",
"as22612",
"nxdomain",
"gmt x",
"ransom",
"virtool",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"california",
"false",
"pulse pulses",
"location united",
"as16276",
"as14061",
"code",
"next",
"url http",
"hostname",
"files domain",
"files related",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"networm",
"as13414 twitter",
"as32934",
"script urls",
"a domains",
"worm",
"entries",
"meta http",
"window",
"select contact",
"domain holder",
"nexus category",
"tackle company",
"postal code",
"component loop",
"apache",
"pragma",
"value0",
"ioc search",
"threat analyzer",
"hostnames",
"dangerous",
"target",
"targeting",
"hacker profile",
"cybercrime",
"fraud services",
"strange",
"tsara brashears",
"michael roberts",
"tracey richter",
"voyeurism",
"slander",
"password",
"hijacker"
],
"references": [
"https://rexxfield.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker",
"www.akhaltsikhe.gov.ge [Germany?]",
"screencasts.rexxfield.com",
"https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused",
"https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location",
"94.130.71.173 [scanning host]",
"http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]",
"https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484",
"Michael Roberts Australia, Germany, Iowa, New York Friend of Ben",
"Michael Roberts - murder suspect, victim, hacker, PI",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]",
"98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]",
"a.nel.cloudflare.com / api.w.org",
"miles.ns.cloudflare.com",
"https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki",
"https://www.google.com/?authuser=0"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALFPER:InstallCapital",
"display_name": "ALFPER:InstallCapital",
"target": null
},
{
"id": "VirTool:MSIL/CryptInject.CF!MTB",
"display_name": "VirTool:MSIL/CryptInject.CF!MTB",
"target": "/malware/VirTool:MSIL/CryptInject.CF!MTB"
},
{
"id": "Win.Malware.Downloadguide-6803841-0",
"display_name": "Win.Malware.Downloadguide-6803841-0",
"target": null
},
{
"id": "Win.Packed.kkrunchy-7049457-1",
"display_name": "Win.Packed.kkrunchy-7049457-1",
"target": null
},
{
"id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre.A",
"display_name": "TrojanDownloader:Win32/Upatre.A",
"target": "/malware/TrojanDownloader:Win32/Upatre.A"
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"target": null
},
{
"id": "Backdoor:Win32/Wabot.A",
"display_name": "Backdoor:Win32/Wabot.A",
"target": "/malware/Backdoor:Win32/Wabot.A"
},
{
"id": "Ransom:Win32/G And Crab!rfn",
"display_name": "Ransom:Win32/G And Crab!rfn",
"target": "/malware/Ransom:Win32/G And Crab!rfn"
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "#Lowfi:FOP:VirTool:Win32/Injector",
"display_name": "#Lowfi:FOP:VirTool:Win32/Injector",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Worm:Win32/Fesber.A",
"display_name": "Worm:Win32/Fesber.A",
"target": "/malware/Worm:Win32/Fesber.A"
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"target": null
},
{
"id": "InstallBrain",
"display_name": "InstallBrain",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Ghost RAT",
"display_name": "Ghost RAT",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Occamy",
"display_name": "Occamy",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "TrojanSpy:Win32/Bradesco",
"display_name": "TrojanSpy:Win32/Bradesco",
"target": "/malware/TrojanSpy:Win32/Bradesco"
},
{
"id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65a342310ab3d2c69778d608",
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 143,
"FileHash-SHA1": 130,
"FileHash-SHA256": 1524,
"URL": 3340,
"domain": 1735,
"hostname": 1398,
"CVE": 1,
"email": 6,
"SSLCertFingerprint": 2
},
"indicator_count": 8279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "771 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65eb98d47b74b50cf8ce6797",
"name": "VirTool:Win32/AccessMe | Ghost RAT",
"description": "",
"modified": "2024-03-08T23:01:40.129000",
"created": "2024-03-08T23:01:40.129000",
"tags": [
"threat",
"feeds ioc",
"new ioc",
"teams api",
"contact",
"paste",
"iocs",
"analyze",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"whois whois",
"communicating",
"contacted",
"family",
"roots",
"lolkek",
"redline stealer",
"hacktool",
"html info",
"title rexxfield",
"services",
"identify",
"meta tags",
"rexxfield cyber",
"investigation",
"divi child",
"site kit",
"google",
"united",
"unknown",
"as24940 hetzner",
"germany unknown",
"passive dns",
"urls",
"title",
"moved",
"scan endpoints",
"all octoseek",
"body",
"cyber stalking",
"pornographer",
"urls url",
"files",
"ip address",
"execution",
"metro",
"medium",
"show",
"search",
"ids detections",
"yara detections",
"win32",
"ppi useragent",
"installcapital",
"http",
"packing t1045",
"malware",
"write",
"obsession",
"malvertizing",
"masquerading",
"ipv4",
"pulse submit",
"url analysis",
"cookie",
"status",
"domain",
"creation date",
"trojan",
"date",
"expiration date",
"name servers",
"trojanclicker",
"encrypt",
"error",
"ransomware",
"malware generator",
"meta",
"for privacy",
"aaaa",
"komodo",
"asnone united",
"alfper",
"as22612",
"nxdomain",
"gmt x",
"ransom",
"virtool",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"california",
"false",
"pulse pulses",
"location united",
"as16276",
"as14061",
"code",
"next",
"url http",
"hostname",
"files domain",
"files related",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"networm",
"as13414 twitter",
"as32934",
"script urls",
"a domains",
"worm",
"entries",
"meta http",
"window",
"select contact",
"domain holder",
"nexus category",
"tackle company",
"postal code",
"component loop",
"apache",
"pragma",
"value0",
"ioc search",
"threat analyzer",
"hostnames",
"dangerous",
"target",
"targeting",
"hacker profile",
"cybercrime",
"fraud services",
"strange",
"tsara brashears",
"michael roberts",
"tracey richter",
"voyeurism",
"slander",
"password",
"hijacker"
],
"references": [
"https://rexxfield.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker",
"www.akhaltsikhe.gov.ge [Germany?]",
"screencasts.rexxfield.com",
"https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused",
"https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location",
"94.130.71.173 [scanning host]",
"http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]",
"https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484",
"Michael Roberts Australia, Germany, Iowa, New York Friend of Ben",
"Michael Roberts - murder suspect, victim, hacker, PI",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]",
"98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]",
"a.nel.cloudflare.com / api.w.org",
"miles.ns.cloudflare.com",
"https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki",
"https://www.google.com/?authuser=0"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALFPER:InstallCapital",
"display_name": "ALFPER:InstallCapital",
"target": null
},
{
"id": "VirTool:MSIL/CryptInject.CF!MTB",
"display_name": "VirTool:MSIL/CryptInject.CF!MTB",
"target": "/malware/VirTool:MSIL/CryptInject.CF!MTB"
},
{
"id": "Win.Malware.Downloadguide-6803841-0",
"display_name": "Win.Malware.Downloadguide-6803841-0",
"target": null
},
{
"id": "Win.Packed.kkrunchy-7049457-1",
"display_name": "Win.Packed.kkrunchy-7049457-1",
"target": null
},
{
"id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre.A",
"display_name": "TrojanDownloader:Win32/Upatre.A",
"target": "/malware/TrojanDownloader:Win32/Upatre.A"
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"target": null
},
{
"id": "Backdoor:Win32/Wabot.A",
"display_name": "Backdoor:Win32/Wabot.A",
"target": "/malware/Backdoor:Win32/Wabot.A"
},
{
"id": "Ransom:Win32/G And Crab!rfn",
"display_name": "Ransom:Win32/G And Crab!rfn",
"target": "/malware/Ransom:Win32/G And Crab!rfn"
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "#Lowfi:FOP:VirTool:Win32/Injector",
"display_name": "#Lowfi:FOP:VirTool:Win32/Injector",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Worm:Win32/Fesber.A",
"display_name": "Worm:Win32/Fesber.A",
"target": "/malware/Worm:Win32/Fesber.A"
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"target": null
},
{
"id": "InstallBrain",
"display_name": "InstallBrain",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Ghost RAT",
"display_name": "Ghost RAT",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Occamy",
"display_name": "Occamy",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "TrojanSpy:Win32/Bradesco",
"display_name": "TrojanSpy:Win32/Bradesco",
"target": "/malware/TrojanSpy:Win32/Bradesco"
},
{
"id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65acace20c18a7d6c5da2e27",
"export_count": 43,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 143,
"FileHash-SHA1": 130,
"FileHash-SHA256": 1524,
"URL": 3340,
"domain": 1735,
"hostname": 1398,
"CVE": 1,
"email": 6,
"SSLCertFingerprint": 2
},
"indicator_count": 8279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "771 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65afc9cf333bbda03a18e03c",
"name": "VirTool:Win32/AccessMe | Ghost RAT",
"description": "",
"modified": "2024-02-13T00:04:59.507000",
"created": "2024-01-23T14:14:39.725000",
"tags": [
"threat",
"feeds ioc",
"new ioc",
"teams api",
"contact",
"paste",
"iocs",
"analyze",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"whois whois",
"communicating",
"contacted",
"family",
"roots",
"lolkek",
"redline stealer",
"hacktool",
"html info",
"title rexxfield",
"services",
"identify",
"meta tags",
"rexxfield cyber",
"investigation",
"divi child",
"site kit",
"google",
"united",
"unknown",
"as24940 hetzner",
"germany unknown",
"passive dns",
"urls",
"title",
"moved",
"scan endpoints",
"all octoseek",
"body",
"cyber stalking",
"pornographer",
"urls url",
"files",
"ip address",
"execution",
"metro",
"medium",
"show",
"search",
"ids detections",
"yara detections",
"win32",
"ppi useragent",
"installcapital",
"http",
"packing t1045",
"malware",
"write",
"obsession",
"malvertizing",
"masquerading",
"ipv4",
"pulse submit",
"url analysis",
"cookie",
"status",
"domain",
"creation date",
"trojan",
"date",
"expiration date",
"name servers",
"trojanclicker",
"encrypt",
"error",
"ransomware",
"malware generator",
"meta",
"for privacy",
"aaaa",
"komodo",
"asnone united",
"alfper",
"as22612",
"nxdomain",
"gmt x",
"ransom",
"virtool",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"california",
"false",
"pulse pulses",
"location united",
"as16276",
"as14061",
"code",
"next",
"url http",
"hostname",
"files domain",
"files related",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"networm",
"as13414 twitter",
"as32934",
"script urls",
"a domains",
"worm",
"entries",
"meta http",
"window",
"select contact",
"domain holder",
"nexus category",
"tackle company",
"postal code",
"component loop",
"apache",
"pragma",
"value0",
"ioc search",
"threat analyzer",
"hostnames",
"dangerous",
"target",
"targeting",
"hacker profile",
"cybercrime",
"fraud services",
"strange",
"tsara brashears",
"michael roberts",
"tracey richter",
"voyeurism",
"slander",
"password",
"hijacker"
],
"references": [
"https://rexxfield.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker",
"www.akhaltsikhe.gov.ge [Germany?]",
"screencasts.rexxfield.com",
"https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused",
"https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location",
"94.130.71.173 [scanning host]",
"http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]",
"https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484",
"Michael Roberts Australia, Germany, Iowa, New York Friend of Ben",
"Michael Roberts - murder suspect, victim, hacker, PI",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]",
"98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]",
"a.nel.cloudflare.com / api.w.org",
"miles.ns.cloudflare.com",
"https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki",
"https://www.google.com/?authuser=0"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALFPER:InstallCapital",
"display_name": "ALFPER:InstallCapital",
"target": null
},
{
"id": "VirTool:MSIL/CryptInject.CF!MTB",
"display_name": "VirTool:MSIL/CryptInject.CF!MTB",
"target": "/malware/VirTool:MSIL/CryptInject.CF!MTB"
},
{
"id": "Win.Malware.Downloadguide-6803841-0",
"display_name": "Win.Malware.Downloadguide-6803841-0",
"target": null
},
{
"id": "Win.Packed.kkrunchy-7049457-1",
"display_name": "Win.Packed.kkrunchy-7049457-1",
"target": null
},
{
"id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre.A",
"display_name": "TrojanDownloader:Win32/Upatre.A",
"target": "/malware/TrojanDownloader:Win32/Upatre.A"
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"target": null
},
{
"id": "Backdoor:Win32/Wabot.A",
"display_name": "Backdoor:Win32/Wabot.A",
"target": "/malware/Backdoor:Win32/Wabot.A"
},
{
"id": "Ransom:Win32/G And Crab!rfn",
"display_name": "Ransom:Win32/G And Crab!rfn",
"target": "/malware/Ransom:Win32/G And Crab!rfn"
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "#Lowfi:FOP:VirTool:Win32/Injector",
"display_name": "#Lowfi:FOP:VirTool:Win32/Injector",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Worm:Win32/Fesber.A",
"display_name": "Worm:Win32/Fesber.A",
"target": "/malware/Worm:Win32/Fesber.A"
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"target": null
},
{
"id": "InstallBrain",
"display_name": "InstallBrain",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Ghost RAT",
"display_name": "Ghost RAT",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Occamy",
"display_name": "Occamy",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "TrojanSpy:Win32/Bradesco",
"display_name": "TrojanSpy:Win32/Bradesco",
"target": "/malware/TrojanSpy:Win32/Bradesco"
},
{
"id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65acace20c18a7d6c5da2e27",
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 143,
"FileHash-SHA1": 130,
"FileHash-SHA256": 1524,
"URL": 3340,
"domain": 1735,
"hostname": 1398,
"CVE": 1,
"email": 6,
"SSLCertFingerprint": 2
},
"indicator_count": 8279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "796 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65acace20c18a7d6c5da2e27",
"name": "VirTool:Win32/AccessMe | Ghost RAT",
"description": "",
"modified": "2024-02-13T00:04:59.507000",
"created": "2024-01-21T05:34:26.800000",
"tags": [
"threat",
"feeds ioc",
"new ioc",
"teams api",
"contact",
"paste",
"iocs",
"analyze",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"whois whois",
"communicating",
"contacted",
"family",
"roots",
"lolkek",
"redline stealer",
"hacktool",
"html info",
"title rexxfield",
"services",
"identify",
"meta tags",
"rexxfield cyber",
"investigation",
"divi child",
"site kit",
"google",
"united",
"unknown",
"as24940 hetzner",
"germany unknown",
"passive dns",
"urls",
"title",
"moved",
"scan endpoints",
"all octoseek",
"body",
"cyber stalking",
"pornographer",
"urls url",
"files",
"ip address",
"execution",
"metro",
"medium",
"show",
"search",
"ids detections",
"yara detections",
"win32",
"ppi useragent",
"installcapital",
"http",
"packing t1045",
"malware",
"write",
"obsession",
"malvertizing",
"masquerading",
"ipv4",
"pulse submit",
"url analysis",
"cookie",
"status",
"domain",
"creation date",
"trojan",
"date",
"expiration date",
"name servers",
"trojanclicker",
"encrypt",
"error",
"ransomware",
"malware generator",
"meta",
"for privacy",
"aaaa",
"komodo",
"asnone united",
"alfper",
"as22612",
"nxdomain",
"gmt x",
"ransom",
"virtool",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"california",
"false",
"pulse pulses",
"location united",
"as16276",
"as14061",
"code",
"next",
"url http",
"hostname",
"files domain",
"files related",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"networm",
"as13414 twitter",
"as32934",
"script urls",
"a domains",
"worm",
"entries",
"meta http",
"window",
"select contact",
"domain holder",
"nexus category",
"tackle company",
"postal code",
"component loop",
"apache",
"pragma",
"value0",
"ioc search",
"threat analyzer",
"hostnames",
"dangerous",
"target",
"targeting",
"hacker profile",
"cybercrime",
"fraud services",
"strange",
"tsara brashears",
"michael roberts",
"tracey richter",
"voyeurism",
"slander",
"password",
"hijacker"
],
"references": [
"https://rexxfield.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker",
"www.akhaltsikhe.gov.ge [Germany?]",
"screencasts.rexxfield.com",
"https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused",
"https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location",
"94.130.71.173 [scanning host]",
"http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]",
"https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484",
"Michael Roberts Australia, Germany, Iowa, New York Friend of Ben",
"Michael Roberts - murder suspect, victim, hacker, PI",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]",
"98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]",
"a.nel.cloudflare.com / api.w.org",
"miles.ns.cloudflare.com",
"https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki",
"https://www.google.com/?authuser=0"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALFPER:InstallCapital",
"display_name": "ALFPER:InstallCapital",
"target": null
},
{
"id": "VirTool:MSIL/CryptInject.CF!MTB",
"display_name": "VirTool:MSIL/CryptInject.CF!MTB",
"target": "/malware/VirTool:MSIL/CryptInject.CF!MTB"
},
{
"id": "Win.Malware.Downloadguide-6803841-0",
"display_name": "Win.Malware.Downloadguide-6803841-0",
"target": null
},
{
"id": "Win.Packed.kkrunchy-7049457-1",
"display_name": "Win.Packed.kkrunchy-7049457-1",
"target": null
},
{
"id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre.A",
"display_name": "TrojanDownloader:Win32/Upatre.A",
"target": "/malware/TrojanDownloader:Win32/Upatre.A"
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"target": null
},
{
"id": "Backdoor:Win32/Wabot.A",
"display_name": "Backdoor:Win32/Wabot.A",
"target": "/malware/Backdoor:Win32/Wabot.A"
},
{
"id": "Ransom:Win32/G And Crab!rfn",
"display_name": "Ransom:Win32/G And Crab!rfn",
"target": "/malware/Ransom:Win32/G And Crab!rfn"
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "#Lowfi:FOP:VirTool:Win32/Injector",
"display_name": "#Lowfi:FOP:VirTool:Win32/Injector",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Worm:Win32/Fesber.A",
"display_name": "Worm:Win32/Fesber.A",
"target": "/malware/Worm:Win32/Fesber.A"
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"target": null
},
{
"id": "InstallBrain",
"display_name": "InstallBrain",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Ghost RAT",
"display_name": "Ghost RAT",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Occamy",
"display_name": "Occamy",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "TrojanSpy:Win32/Bradesco",
"display_name": "TrojanSpy:Win32/Bradesco",
"target": "/malware/TrojanSpy:Win32/Bradesco"
},
{
"id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65a342310ab3d2c69778d608",
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 143,
"FileHash-SHA1": 130,
"FileHash-SHA256": 1524,
"URL": 3340,
"domain": 1735,
"hostname": 1398,
"CVE": 1,
"email": 6,
"SSLCertFingerprint": 2
},
"indicator_count": 8279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "796 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a342310ab3d2c69778d608",
"name": "VirTool:MSIL/CryptInject.CF!MTB | Rexxfield? Weird stuff",
"description": "Remotely accessed device. Alleges Relationship to OTX? What I know is what I've read. Michael Roberts of Rexxfield supposedly assists, attorneys, law enforcement & helps doctors cover their crimes, injects malicious code, honeypots the web, terrorizing SA victims/allegers. Roberts is allegedly a hacker mastermind who shows his face or one of the many profiles of a hacker group targeting Tsara Brashears and https://SafeBae.org. Brashears is linked in malicious websites, Roberts suspect with ex-wife Tracey Richter alleged murderer. This is all crazy, still; Brashears is a real person in danger. I don't get it. I'm stupid",
"modified": "2024-02-13T00:04:59.507000",
"created": "2024-01-14T02:08:49.638000",
"tags": [
"threat",
"feeds ioc",
"new ioc",
"teams api",
"contact",
"paste",
"iocs",
"analyze",
"ssl certificate",
"whois record",
"historical ssl",
"resolutions",
"referrer",
"whois whois",
"communicating",
"contacted",
"family",
"roots",
"lolkek",
"redline stealer",
"hacktool",
"html info",
"title rexxfield",
"services",
"identify",
"meta tags",
"rexxfield cyber",
"investigation",
"divi child",
"site kit",
"google",
"united",
"unknown",
"as24940 hetzner",
"germany unknown",
"passive dns",
"urls",
"title",
"moved",
"scan endpoints",
"all octoseek",
"body",
"cyber stalking",
"pornographer",
"urls url",
"files",
"ip address",
"execution",
"metro",
"medium",
"show",
"search",
"ids detections",
"yara detections",
"win32",
"ppi useragent",
"installcapital",
"http",
"packing t1045",
"malware",
"write",
"obsession",
"malvertizing",
"masquerading",
"ipv4",
"pulse submit",
"url analysis",
"cookie",
"status",
"domain",
"creation date",
"trojan",
"date",
"expiration date",
"name servers",
"trojanclicker",
"encrypt",
"error",
"ransomware",
"malware generator",
"meta",
"for privacy",
"aaaa",
"komodo",
"asnone united",
"alfper",
"as22612",
"nxdomain",
"gmt x",
"ransom",
"virtool",
"log id",
"gmtn",
"digicert tls",
"rsa sha256",
"tls web",
"full name",
"digicert inc",
"california",
"false",
"pulse pulses",
"location united",
"as16276",
"as14061",
"code",
"next",
"url http",
"hostname",
"files domain",
"files related",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"cobalt strike",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"networm",
"as13414 twitter",
"as32934",
"script urls",
"a domains",
"worm",
"entries",
"meta http",
"window",
"select contact",
"domain holder",
"nexus category",
"tackle company",
"postal code",
"component loop",
"apache",
"pragma",
"value0",
"ioc search",
"threat analyzer",
"hostnames",
"dangerous",
"target",
"targeting",
"hacker profile",
"cybercrime",
"fraud services",
"strange",
"tsara brashears",
"michael roberts",
"tracey richter",
"voyeurism",
"slander",
"password",
"hijacker"
],
"references": [
"https://rexxfield.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker",
"www.akhaltsikhe.gov.ge [Germany?]",
"screencasts.rexxfield.com",
"https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused",
"https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location",
"94.130.71.173 [scanning host]",
"http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]",
"https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484",
"Michael Roberts Australia, Germany, Iowa, New York Friend of Ben",
"Michael Roberts - murder suspect, victim, hacker, PI",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]",
"98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]",
"a.nel.cloudflare.com / api.w.org",
"miles.ns.cloudflare.com",
"https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki",
"https://www.google.com/?authuser=0"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALFPER:InstallCapital",
"display_name": "ALFPER:InstallCapital",
"target": null
},
{
"id": "VirTool:MSIL/CryptInject.CF!MTB",
"display_name": "VirTool:MSIL/CryptInject.CF!MTB",
"target": "/malware/VirTool:MSIL/CryptInject.CF!MTB"
},
{
"id": "Win.Malware.Downloadguide-6803841-0",
"display_name": "Win.Malware.Downloadguide-6803841-0",
"target": null
},
{
"id": "Win.Packed.kkrunchy-7049457-1",
"display_name": "Win.Packed.kkrunchy-7049457-1",
"target": null
},
{
"id": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"display_name": "ALF:HeraklezEval:SoftwareBundler:Win32/Prepscram",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre.A",
"display_name": "TrojanDownloader:Win32/Upatre.A",
"target": "/malware/TrojanDownloader:Win32/Upatre.A"
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"display_name": "ALF:HeraklezEval:Trojan:BAT/Musecador",
"target": null
},
{
"id": "Backdoor:Win32/Wabot.A",
"display_name": "Backdoor:Win32/Wabot.A",
"target": "/malware/Backdoor:Win32/Wabot.A"
},
{
"id": "Ransom:Win32/G And Crab!rfn",
"display_name": "Ransom:Win32/G And Crab!rfn",
"target": "/malware/Ransom:Win32/G And Crab!rfn"
},
{
"id": "Ransom:Win32/WannaCrypt.A!rsm",
"display_name": "Ransom:Win32/WannaCrypt.A!rsm",
"target": "/malware/Ransom:Win32/WannaCrypt.A!rsm"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "#Lowfi:FOP:VirTool:Win32/Injector",
"display_name": "#Lowfi:FOP:VirTool:Win32/Injector",
"target": null
},
{
"id": "Nanocore RAT",
"display_name": "Nanocore RAT",
"target": null
},
{
"id": "Worm:Win32/Fesber.A",
"display_name": "Worm:Win32/Fesber.A",
"target": "/malware/Worm:Win32/Fesber.A"
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"display_name": "#LowFi:HSTR:TrojanSpy:Win32/Xtrat",
"target": null
},
{
"id": "InstallBrain",
"display_name": "InstallBrain",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Ghost RAT",
"display_name": "Ghost RAT",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Occamy",
"display_name": "Occamy",
"target": null
},
{
"id": "Agent Tesla",
"display_name": "Agent Tesla",
"target": null
},
{
"id": "TrojanSpy:Win32/Bradesco",
"display_name": "TrojanSpy:Win32/Bradesco",
"target": "/malware/TrojanSpy:Win32/Bradesco"
},
{
"id": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"display_name": "ALF:HeraklezEval:TrojanClicker:JS/Faceliker",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 143,
"FileHash-SHA1": 130,
"FileHash-SHA256": 1524,
"URL": 3340,
"domain": 1735,
"hostname": 1398,
"CVE": 1,
"email": 6,
"SSLCertFingerprint": 2
},
"indicator_count": 8279,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "796 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65944a8149f2479b2fbc6cd1",
"name": "Relic",
"description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.",
"modified": "2024-02-01T14:01:46.735000",
"created": "2024-01-02T17:40:17.890000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers nel",
"maxage5184000",
"name verdict",
"falcon sandbox",
"whois record",
"ssl certificate",
"tsara brashears",
"whois whois",
"historical ssl",
"contacted",
"highly targeted",
"hackers",
"botnet",
"apple ios",
"malicious",
"hacktool",
"quasar",
"download",
"malware",
"relic",
"monitoring",
"installer",
"tofsee",
"getprocaddress",
"indicator",
"prefetch8",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"united",
"file",
"pattern match",
"path",
"date",
"win64",
"factory",
"model",
"comspec",
"hybrid",
"general",
"click",
"strings",
"patch",
"song culture",
"tulach"
],
"references": [
"rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker",
"https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d",
"https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,",
"https://twitter.com/sheriffspurlock?lang=en",
"https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8",
"http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru",
"nr-data.net [Apple Private Data Collection]",
"init.ess.apple.com [backdoor, malicious script, access via media]",
"https://stackabuse.com/assets/images/apple",
"https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err",
"location-icloud.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]",
"mailtrack.io [tracking VirusTotal graphs, link trace back]",
"http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes",
"https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=",
"https://pin.it/ [faux Pinterest for TB]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [",
"114.114.114.114 [ Tulach Malware IP]",
"13.107.136.8 [ Tulach Malware IP redirect]",
"http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]",
"http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]",
"http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_",
"http://114.114.114.114/ipw.ps1",
"194.245.148.189 [CnC]",
"https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/",
"http://109.206.241.129/666bins/666.mpsl",
"http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2",
"143.244.50.213 |169.150.249.162 [malware_hosting]",
"http://watchhers.net/index.php [malware spreader]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"xred.mooo.com [pornhub trojan]",
"https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]",
"http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george",
"https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Comspec",
"display_name": "Comspec",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8049,
"FileHash-MD5": 388,
"FileHash-SHA1": 212,
"FileHash-SHA256": 7062,
"domain": 4401,
"hostname": 2653,
"CVE": 2,
"SSLCertFingerprint": 2
},
"indicator_count": 22769,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "808 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65618963e4e45d0c53f8e770",
"name": "ww1.imobitracking.net",
"description": "critical, cronup threat, cyber threat, data, serious, tracking, emails collection, relay router , emotet, exploit, content reputation.\n\nSerious tracking efforts, malicious.",
"modified": "2023-12-25T03:01:27.395000",
"created": "2023-11-25T05:42:59.043000",
"tags": [
"creation date",
"search",
"passive dns",
"urls",
"address",
"record value",
"emails",
"date",
"showing",
"body",
"unknown",
"cowboy",
"encrypt",
"resolver ip",
"whois lookups",
"server",
"iana id",
"registrar abuse",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"registrar",
"first",
"dns replication",
"algorithm",
"key usage",
"google",
"record type",
"ttl value",
"cname",
"data",
"v3 serial",
"contacted",
"ssl certificate",
"threat roundup",
"march",
"august",
"referrer",
"whois record",
"communicating",
"june",
"april",
"copy",
"february",
"cobalt strike",
"remcos",
"emotet",
"core",
"noname057",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"malware site",
"phishing site",
"malicious site",
"malware",
"internet storm",
"united",
"cyber threat",
"heur",
"malicious url",
"mail spammer",
"suppobox",
"bambernek",
"cronup threat",
"team",
"facebook",
"malicious",
"phishing",
"download",
"virut",
"unruy",
"bandoo",
"matsnu",
"tofsee",
"simda",
"vawtrak",
"hotmail",
"qakbot",
"asyncrat",
"tsara brashears",
"no data",
"count blacklist",
"tag tag",
"pattern match",
"ascii text",
"file",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"appdata",
"path",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"tor known",
"tor relayrouter",
"node tcp",
"traffic",
"host",
"cins active",
"poor reputation",
"spammer",
"barracuda et",
"artemis",
"iframe",
"cleaner",
"unsafe",
"riskware",
"agent",
"wacatac",
"bank",
"opencandy",
"nircmd",
"swrort",
"downldr",
"crack",
"presenoker",
"filetour",
"conduit",
"xtrat",
"azorult",
"service",
"runescape",
"acint",
"systweak",
"behav",
"tiggre",
"genkryptik",
"exploit",
"xrat",
"installcore",
"patcher",
"adload",
"win64",
"softcnapp",
"union",
"ponmocup",
"fusioncore",
"trojanspy",
"webtoolbar",
"maltiverse",
"114.114.114.114",
"tulach",
"tracking",
"apple",
"illegal",
"target",
"c2",
"cnc",
"scanning_host",
"CVE-2011-0611",
"CVE-2017-0147",
"CVE-2014-3153",
"CVE-2016-0189",
"CVE-2017-0199",
"CVE-2017-8570",
"CVE-2017-11882",
"CVE-2018-4893",
"CVE-2018-8174",
"CVE-2020-0601",
"CVE-2023-22518"
],
"references": [
"ww1.imobitracking.net",
"https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff",
"114.114.114.114",
"signin-appleid.jackpotiot.com",
"https://www.anyxxxtube.net/media/favicon/apple",
"http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://httpdev.findatoyota.com",
"https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0",
"t.prototype.hasownproperty.call",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Private Internet Access",
"display_name": "Private Internet Access",
"target": null
},
{
"id": "OpenCandy",
"display_name": "OpenCandy",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Bandoo",
"display_name": "Bandoo",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "Vawtrak",
"display_name": "Vawtrak",
"target": null
},
{
"id": "Tiggre",
"display_name": "Tiggre",
"target": null
},
{
"id": "TrojanDropper:Win32/Ponmocup",
"display_name": "TrojanDropper:Win32/Ponmocup",
"target": "/malware/TrojanDropper:Win32/Ponmocup"
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1569,
"FileHash-MD5": 489,
"URL": 7420,
"domain": 917,
"FileHash-SHA1": 247,
"email": 3,
"FileHash-SHA256": 2578,
"CVE": 11
},
"indicator_count": 13234,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "846 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64d56620fb6845e22b859e75",
"name": "Who is ENOM (DREAMHOST)",
"description": "",
"modified": "2023-09-11T00:03:40.398000",
"created": "2023-08-10T22:35:12.322000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d31d52d54a9591dd717e17",
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2544,
"domain": 2507,
"URL": 2757,
"email": 26,
"CVE": 25,
"FileHash-SHA256": 61,
"FileHash-MD5": 9,
"FileHash-SHA1": 12
},
"indicator_count": 7941,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 85,
"modified_text": "951 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"Mirai: simswap.in",
"https://rexxfield.com/",
"Doing any evil thing for mone does not compute for me.",
"http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11",
"Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5",
"rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker",
"https://l.us-1.a.mimecastprotect.com/l",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"https://www.anyxxxtube.net/media/favicon/apple",
"Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Zombie.A , ALF:Trojan:Win32/Cassini_f28c33a2!ibt , Backdoor:Win32/Hupigon , Backdoor:Win32/Simda , Backdoor:Win32/Simda!rfn , Backdoor:Win32/Simda.gen!A , Backdoor:Win32/Simda.gen!B ,",
"https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]",
"https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]",
"http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"init.ess.apple.com [backdoor, malicious script, access via media]",
"IDS Detections: Win32/Nuclear Checkin Potentially Unwanted Application AirInstaller PUP.Uniblue Checkin",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com",
"http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes",
"bricked.wtf",
"94.130.71.173 [scanning host]",
"Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Sabsik.TE.A!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 ,",
"https://pin.it/ [faux Pinterest for TB]",
"High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"xred.mooo.com [pornhub trojan]",
"https://stackabuse.com/assets/images/apple",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"IDS Detections: CryptoWall Check-in Long Fake wget 3.0 User-Agent Detected Win32.Sality-GR Checkin Win32/Nuclear Checkin",
"https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3",
"Tulach - 114.114.114.114",
"screencasts.rexxfield.com",
"http://takenlive.net/index.php | takenlive.net | batteam.live | fireyes.live | liveatparkwestapts.com",
"13.107.136.8 [ Tulach Malware IP redirect]",
"Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP",
"https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"www.akhaltsikhe.gov.ge [Germany?]",
"https://appleid-verify.servecounterstrike.com/",
"https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"http://porn.toplistcreator.eu/in.php",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"Requires further research.",
"bpp.eset.com",
"High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication",
"http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]",
"mastodon.social",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"194.245.148.189 [CnC]",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"mailtrack.io [tracking VirusTotal graphs, link trace back]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d",
"https://pin.it/ \u2022 pin.it a fake Pinterest for Tsara Brashears",
"location-icloud.com",
"https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"I apologize for the lack of reference.",
"Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"Backdoor:Win32/Hupigon: FileHash-MD5 7ef28ab7959a5178b736ec834a23443e",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2",
"http://www.sweetheartvideo.com/tsara-brashears \u2022 https://www.sweetheartvideo.com/tsara-brashears",
"http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"It appears there are 5-7 known affected that I was able to find",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"apple.com \u2022 getsupport.apple.com \u2022",
"98cc05d9c12c214deadfe71af22cd3862e7417c0 [backdoor | PPI User-Agent (InstallCapital)]",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com",
"https://clickndownload.link/iatzq4q773mo/On.Patrol.Live.S02E74.HDTV.h264-RBB.mp4.html",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"a.nel.cloudflare.com / api.w.org",
"114.114.114.114",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community",
"Michael Roberts - murder suspect, victim, hacker, PI",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [text, email, collection]",
"https://ladys.one/xxx/a-tsara-brashears-zafira-porn",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing \u2022 www.anyxxxtube.net",
"Sourced from: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm",
"t.prototype.hasownproperty.call",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"TrojanDropper:Win32/Hupigon.gen!A: 0c293dc93ff72f5034c821a0582a67695d7eaf25faf3f8e7d118005c47aef9b0 [Can't access file]",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"miles.ns.cloudflare.com",
"Backdoor:Win32/Hupigon: FileHash-SHA256 0c293dc93ff72f5034c821a0582a67695d7eaf25faf3f8e7d118005c47aef9b0",
"https://otx.alienvault.com/indicator/url/https://media.toxtren.com/redirect.aspx?pid=272789&&bid=1971&&lpid=2119&&subid=18b8dh9scxi7sbl11f&&sref=inhousecpa&&inhousecpa=Kiev_Dima_BR_Setki",
"143.244.50.213 |169.150.249.162 [malware_hosting]",
"http://www.google.com/images/errors/robot.png",
"https://rexxfield.com [ hmmm...inc.legal] is Alienvault a subsidiary of Rexxfields unwarranted investigation/spy campaign? Confused",
"http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.",
"Appears to be closely associated with close relative and initial victim of attack.",
"114.114.114.114 [ Tulach Malware IP]",
"https://discuss.ai.google.dev/c/gemma/10",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities",
"2018.northbaypython.org",
"http://watchhers.net/index.php [malware spreader]",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Kukacka: FileHash-SHA1 81740fc245050465a6c85023c18da7b0525eba53",
"IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99",
"http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_",
"https://www.google.com/?authuser=0",
"https://www.couriermail.com.au/ipad/custody-bid-strands-family/news-story/23c2c9a5fc984edc04d29655c641f484",
"Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer",
"http://109.206.241.129/666bins/666.mpsl",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | OS & iOS Password and Password Cracker",
"http://schoolgirl.uxxxporn.com",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"https://m.bigwetbutts.com/ tmi",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"DiabloFans.com",
"https://www.jmtstudios.org/farewell/",
"Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"http://www.objectaid.com/update/current/p2.index [AIN Phishing IOC's]",
"https://twitter.com/sheriffspurlock?lang=en",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"Kukacka: FileHash-SHA256 be22fb844f7017b1d01bdff406f0b398fcfeb9a088cb6c4616854d38dbd36bfa",
"Traceback- Man with signal jammer/ deauther working around her today.",
"http://beelinerouter.net/",
"Kukacka: FileHash-MD5 d52015668162856eef29d99ea3ec7f7a",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"nr-data.net [Apple Private Data Collection]",
"appleremotesupport.com | http://thickapple.net/index.php",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"malwareprotectionlive.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0",
"https://families.google/intl/pt-PT_ALL/familylink/",
"https://www.youtube-nocookie.com/embed/6w5ukhqvtmq",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants",
"Same legal , and quasi governmental pattern identified",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"https://www.youtube.com \u2022 https://www.youtube.com/user/CurseDiablofans",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://114.114.114.114/ipw.ps1",
"https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778",
"http://api.jmtstudios.org/",
"Every tag OTC auto populated . Crazy talk. Please see Mitre ATT&CK",
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"Backdoor:Win32/Hupigon: FileHash-SHA1 658c279b656a03d8e3fc7f5ee02fcfd937669b2d",
"https://otx.alienvault.com/indicator/ip/3.64.163.50",
"https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err",
"tracking.minitool.com trackeffect.lol",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"https://httpdev.findatoyota.com",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"init.ess.apple.com \u2022otc.greatcall.com (phone manipulators) \u2022 mailtrack.io \u2022 https://trackacourier.net",
"Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger",
"ww1.imobitracking.net",
"twitter.com \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 www.pornhub.com \u2022 oriental-porno.lat",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL",
"Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"foundry.com \u2022 helix. com",
"IDS Detections: Win32.Renos/Artro Trojan Checkin M1 W32/Hicrazyk.A Downloader Install CnC Beacon Win32.Lollipop.R Checkin M2 Win32.Lollipop.R Checkin",
"http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru",
"signin-appleid.jackpotiot.com",
"Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn",
"beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net [BitCoinAussie ?]",
"https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"div>
",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"https://www.akhaltsikhe.gov.ge/ | GMT Server LiteSpeed location",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"Michael Roberts Australia, Germany, Iowa, New York Friend of Ben",
"http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11",
"47.courier-push-apple.com.akadns.net",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"www.gambinospizza.com",
"High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .",
"Backdoor:Win32/Hupigon: FileHash-SHA256 22267dd9da3b0b46619ff2f2195a02e0f590a47a1dffa4d32f01f598f40cc5c0",
"https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"https://www.youtube-nocookie.com/embed/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"SALTY SPIDER"
],
"malware_families": [
"Ransom:win32/wannacrypt.a!rsm",
"Win.ransomware.bitman-9862733-0",
"Artro",
"Smoke loader",
"Win.trojan.cosmu-1058",
"Worm:win32/enosch!atmn",
"Win.dropper.vbclone-10036195-0",
"Win.malware.unsafe",
"Win.spyware.88778-2",
"Alf:heraklezeval:worm:win32/vobfus",
"Lolkek",
"Trojanspy:win32/bradesco",
"Alf:heraklezeval:trojan:bat/musecador",
"Trojan:win32/comspec",
"Emotet",
"Bandoo",
"Tiggre",
"Opencandy",
"Nanocore rat",
"Trojan:win32/qbot.r!mtb",
"Hacktool",
"Heartbleed bug",
"Vawtrak",
"#lowfi:hstr:trojanspy:win32/xtrat",
"Trojanclicker",
"#lowfi:hstr:virtool:win32/gendecnryptalgo.s02",
"Mirai",
"Win.packed.kkrunchy-7049457-1",
", win.trojan.agent-1286703",
"Installcore",
"Trojandropper:win32/ponmocup",
"Et",
"Virut",
"Win.malware.convagent-9981433-0",
"Upadter",
"Win32:crypterx-gen\\ [trj]",
"Alf:trojan:win32/vtflooder",
"Trojan:win32/dorkbot.du",
"Ransom:win32/g and crab!rfn",
"Alf:heraklezeval:trojanclicker:js/faceliker",
"Unidentified 083 (autoit stealer)",
"Trojan:win32/smkldr.h!mtb",
"Trojanspy",
"Trojan:win32/qshell",
"Virtool:win32/injector.gen!bq",
"Xls:nastya\\ [trj]",
"Suppobox",
"Occamy",
"Backdoor:win32/hupigon",
"Backdoor:win32/wabot.a",
"Webtoolbar",
"Ghost rat",
"Juko",
"Alf:trojan:win32/g3nasom!imp",
"Win.malware.downloadguide-6803841-0",
"Icedid",
"Trojandownloader:win32/upatre.a",
"Crypt4.ygm",
"Remcos",
"Other",
"Quasar rat",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Kukacka",
"Trojan:win32/danabot",
"Trojan:win32/zombie.a",
"Comspec",
"Expiro",
"Worm:win32/fesber.a",
"Xrat",
"Trojan.mydoom/muldrop",
"Cobalt strike",
"Win.malware.qshell-9875653-0",
"#lowfi:fop:virtool:win32/injector",
"Installbrain",
"Quasar",
"Alfper:installcapital",
"Trojan:win32/glupteba.mt!mtb",
"Agent tesla",
"Private internet access",
"Target saver",
"Win.malware.delf-10008156-0",
"Tulach",
"Win32:genmalicious-kag\\ [trj]",
"Worm:win32/fadok!rfn",
"Virtool:win32/obfuscator",
"Tulach malware",
"Relic",
"#lowfi:lua:dllsuspiciousexport.a",
"Virtool:msil/cryptinject.cf!mtb",
"Mydoom",
"Trojan:win32/generic",
"Win32:malware-gen",
"Tofsee",
"Alf:heraklezeval:softwarebundler:win32/prepscram",
"Zbot",
"Redline stealer"
],
"industries": [
"Finance",
"Legal",
"Media",
"Telecommunications",
"Government",
"Healthcare",
"Telecom",
"Technology"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 29,
"pulses": [
{
"id": "69a1535debec4128ab952040",
"name": "I See You, Too. #.icu",
"description": "The NSV4-ICU campaign exhibits a profound cryptographic and linguistic mismatch betokening a Western operator driving a foreign engine. While the tactical codebase utilizes GBK-encoded (Simplified Chinese) metadata, the binary logs reveal a definitive tradecraft failure: the presence of \u00ba\u00c3\u00b0\u00c9 (H\u01ceo ba), a conversational \"Alrighty.\" This is likely a failed attempt to utilize a foreign language on a Western-localized screen, resulting in \"Mojibake\" (garbage text) and the semantic error of identifying the developer as a \"Novelist\" (Zu\u00f2zh\u011b) rather than a \"Programmer.\"\nBy stripping Western UTF-8 telemetry through spoofed Nashville (BNA) and Apple/Google thumbprints, the operator confirms Local Root CA injection and a manual interception pipeline. The .icu (I See You) signature is ultimately undermined by the operator's own metadata\u2014effectively a Westerner shouting in a digital dialect they don't speak, creating a detectable encoding-latency signature that peels back the \"invisible typhoon\" mask.",
"modified": "2026-04-01T00:44:45.494000",
"created": "2026-02-27T08:18:37.071000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 294,
"CVE": 22,
"URL": 278,
"FileHash-MD5": 234,
"FileHash-SHA1": 240,
"FileHash-SHA256": 1663,
"hostname": 142,
"YARA": 1,
"email": 13,
"CIDR": 2
},
"indicator_count": 2889,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "25 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6962d43456bb524b17e9d5ce",
"name": "Apple MyDoom + IOC\u2019s isolated from Palantir related Pahamify Pegasus | BibleGateway App | Drive by & other targeting /.monitoring Access Attacks ",
"description": "",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T22:35:32.582000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6962bb143187f7cb571ef6f5",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6962bb143187f7cb571ef6f5",
"name": "Pahamify Pegasus",
"description": "Hmmm, only able to manually add IOC\u2019s after last pulse.\n\nPulse: Pahamify Pegasus - Apple IOC\u2019s",
"modified": "2026-02-09T22:00:25.303000",
"created": "2026-01-10T20:48:20.438000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1190,
"hostname": 891,
"URL": 4201,
"FileHash-SHA256": 1555,
"email": 33,
"FileHash-MD5": 591,
"FileHash-SHA1": 400
},
"indicator_count": 8861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69312c4db6fe7eb34abd179d",
"name": "BeeLineRouter.Net \u2022 Apple \u2022 Worms \u2022 Ransom \u2022 SpyWare",
"description": "Direct- remotely accesses iOS devices. Same threat actors. Further research warranted.| \n\n#theyswarm #apple #worms #spyware #ransom #quasi",
"modified": "2026-01-03T05:02:11.376000",
"created": "2025-12-04T06:38:05.504000",
"tags": [
"worm",
"readme.exe",
"foto.pif",
"z1nic.exe",
"dynamicloader",
"high",
"windows",
"checks",
"named pipe",
"http traffic",
"ids detections",
"yara detections",
"alerts",
"launch",
"defense evasion",
"ta0005",
"files",
"msie",
"next dropped",
"process name",
"pe32",
"intel",
"ms windows",
"unknown",
"united",
"tlsv1",
"as14618",
"top source",
"top destination",
"port",
"destination",
"source source",
"matches rule",
"hidden file",
"extension",
"connection",
"http vary",
"tulach",
"url https",
"indicator role",
"active related",
"ipv4",
"url http",
"macintosh",
"intel mac",
"os x",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"bq dec",
"virtool",
"win32mydoom dec",
"trojan",
"win32cve dec",
"avast avg",
"mtb dec",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"ff d5",
"yara rule",
"ascii text",
"f0 ff",
"eb e1",
"write",
"malware",
"suspicious",
"observed dns",
"query",
"exploits",
"sid name",
"malware cve",
"exif data",
"show",
"value exe",
"next",
"all ipv4",
"pulse pulses",
"passive dns",
"urls",
"reverse dns",
"location united",
"america flag",
"ashburn",
"status",
"name servers",
"ip address",
"showing",
"domain",
"files ip",
"windows nt",
"slcc2",
"media center",
"medium",
"simda",
"internal",
"local",
"write c",
"domain add",
"ip whois",
"registrar",
"hostname",
"present jul",
"unknown ns",
"present dec",
"music",
"servers",
"hostname add",
"pulse submit",
"url analysis",
"aaaa",
"backdoor",
"entries",
"found",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"record value",
"emails",
"win32",
"mtb may",
"invalid url",
"ransom",
"trojanspy",
"msil",
"akamai",
"expiration date",
"body html",
"present nov",
"url add",
"http",
"files domain",
"files related",
"pulses none",
"related tags",
"present sep",
"present oct",
"flag",
"analysis tip",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"date",
"domain address",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"network traffic",
"ck id",
"show technique",
"mitre att",
"ck matrix",
"t1566",
"submitted url",
"t1204",
"learn",
"name tactics",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"pattern match",
"show process",
"t1071",
"t1057",
"general",
"path",
"brian sabey",
"christopher p ahmann",
"quasi",
"foundry",
"helix",
"remote attacks",
"hit men",
"sreredrum",
"pleh"
],
"references": [
"apple.com \u2022 getsupport.apple.com \u2022",
"https://www.idvd.eu/?cid=oas-japac-domains-applestore.com.cn/90.i.lolik.anyciona.patrolita.casse.897866 \u2022 oas-japac-domains-applestore.com.cn",
"http://beelinerouter.net/",
"Tulach - 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry.com \u2022 helix. com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/Fadok!rfn",
"display_name": "Worm:Win32/Fadok!rfn",
"target": "/malware/Worm:Win32/Fadok!rfn"
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Mydoom",
"display_name": "Mydoom",
"target": null
},
{
"id": "Win.Spyware.88778-2",
"display_name": "Win.Spyware.88778-2",
"target": null
},
{
"id": "Win.Malware.Delf-10008156-0",
"display_name": "Win.Malware.Delf-10008156-0",
"target": null
},
{
"id": "Trojan.MyDoom/Muldrop",
"display_name": "Trojan.MyDoom/Muldrop",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1578",
"name": "Modify Cloud Compute Infrastructure",
"display_name": "T1578 - Modify Cloud Compute Infrastructure"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1584.003",
"name": "Virtual Private Server",
"display_name": "T1584.003 - Virtual Private Server"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 422,
"FileHash-SHA1": 316,
"FileHash-SHA256": 1950,
"domain": 899,
"URL": 6117,
"email": 21,
"hostname": 2037,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 11765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68db395368d6c4042517f3f3",
"name": "Target Saver M1 Agent TSA Spy \u2022 Mastadon - Hit Tip! Thanks!",
"description": "Hot Tip! I would love to give a shout out to the person who provided this information, I\u2019m not sure if they want to remain anonymous or not. Thank SO Much!\n\nSpyware and a source for distributing malicious media. Complete foothold\non networks, browsers, phones, search history and everything, massive streaming pornography distributed, members and contributors. \n\nVery important tip. I will analyze and break down into digestible pulse sizes.",
"modified": "2025-12-27T15:01:22.545000",
"created": "2025-09-30T01:58:43.592000",
"tags": [
"http traffic",
"match info",
"http get",
"info performs",
"dns query",
"https http",
"mitre att",
"evasion ta0005",
"creates",
"info",
"oc0006 http",
"wininet c0005",
"resolved ips",
"get http",
"html document",
"unicode text",
"dynamicloader",
"fe ff",
"medium",
"x00bx00",
"uswv",
"k uswv",
"search",
"high",
"delete c",
"yara detections",
"redline",
"guard",
"write",
"united",
"present sep",
"aaaa",
"passive dns",
"urls",
"next associated",
"found",
"x content",
"hacktool",
"trojan",
"error",
"lowfi",
"win32",
"worm",
"ip address",
"mtb apr",
"ransom",
"virtool",
"ain add",
"directui",
"element",
"classinfobase",
"ccbase",
"hwndhost",
"yara rule",
"hpavvalue",
"qaejh",
"name servers",
"cryp",
"emails",
"next related",
"domain related",
"no expiration",
"url http",
"url https",
"indicator role",
"hostname",
"email",
"present jun",
"present aug",
"present jul",
"servers",
"title",
"encrypt",
"altsvc h3",
"date tue",
"acceptranges",
"reportto",
"server",
"gmt expires",
"gmt contenttype",
"script",
"expiresthu",
"maxage63072000",
"pragma",
"google safe",
"unknown ns",
"files",
"location united",
"asn as15169",
"trojandropper",
"susp",
"creation date",
"asn as133618",
"tags",
"related tags",
"indicator facts",
"backdoor",
"ipv4 add",
"click",
"artro",
"target saver",
"trojanspy",
"reverse dns",
"america flag",
"443 ma2592000",
"hostname add",
"verdict",
"present mar",
"present jan",
"present dec",
"present apr",
"ipv4",
"type indicator",
"role title",
"related pulses",
"iocs",
"moved",
"downloads",
"apple",
"microsoft",
"hexagonsystem",
"mastadon",
"status",
"twitter",
"gmt content",
"easyredir cache",
"v4 add",
"redacted for",
"privacy tech",
"privacy admin",
"registrar abuse",
"available from",
"algorithm",
"key identifier",
"x509v3 subject",
"entity",
"code",
"date",
"dnssec",
"showing",
"unknown aaaa",
"sha256",
"sha1",
"ascii text",
"ck id",
"show technique",
"ck matrix",
"meta",
"hybrid",
"general",
"local",
"path",
"strings",
"copy md5",
"copy sha1",
"copy sha256",
"certificate"
],
"references": [
"FileHash-SHA256 025ca2c59c26197f3c1cd746469a5b9fe219a748716abd90daee792f34037d63",
"mastodon.social",
"https://families.google/intl/pt-PT_ALL/familylink/",
"http://service.adultprovide.com/docs/records.htm?site=bigtitsboss",
"slscr.update.microsoft.com \u2022client.wns.windows.com \u2022 c.pki.goog \u2022 login.live.com",
"https://discuss.ai.google.dev/c/gemma/10",
"https://uj140.keap-link003.com/v2/render/acc9c3f6b0340c8e01d0d3d0e1662c9e/eJxtjjsLwjAUhf_LnTP0hdRspYQSWkXEwU1Ce4XUmob0Riil_90o0snxPD7OWYDQKEOyAw6-j7MIGDhstdVoqBwNqfYbprs4T3IGgzaPyo3eAl_-sVv-cbM0yfYRA5otho44FLKBddOXc1HW8ljdTvIqmgDjU5N4heEJODmPDJS1aLrfjxpn4Hc1TLi-ARRkO0Y=/pixel.png",
"https://m.bigwetbutts.com/ tmi",
"Spyware: FileHash-SHA256 035e393630953b89c602e7cfa3409da790e99309c2d916336147cf9c59ee1b89",
"Mirai: simswap.in",
"66.254.114.41 \u2022 brazzersnetwork.com \u2022 brazzers.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 www.pornhub.com",
"https://buildings.hexagongeosystems.com \u2022 https://connect.hexagongeosystems.com",
"https://load.ss.hexagongeosystems.com \u2022 https://rail.hexagongeosystems.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"display_name": "#Lowfi:HSTR:VirTool:Win32/GenDecnryptAlgo.S02",
"target": null
},
{
"id": "Win.Ransomware.Bitman-9862733-0",
"display_name": "Win.Ransomware.Bitman-9862733-0",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Target Saver",
"display_name": "Target Saver",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Hacktool",
"display_name": "Hacktool",
"target": null
}
],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Media",
"Legal",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2964,
"hostname": 1164,
"URL": 4334,
"domain": 956,
"FileHash-MD5": 476,
"FileHash-SHA1": 451,
"CVE": 1,
"email": 20,
"SSLCertFingerprint": 2
},
"indicator_count": 10368,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6905d40f781d7d58d4021a20",
"name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.",
"description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.",
"modified": "2025-12-20T06:00:23.758000",
"created": "2025-11-01T09:34:07.323000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8332,
"domain": 4819,
"hostname": 2165,
"FileHash-SHA256": 7369,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 23637,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "120 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69137ee5d76d486d65396af0",
"name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-11T18:22:29.976000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6906c12b1dd6a64ab1beaa55",
"name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious",
"description": "",
"modified": "2025-12-01T09:02:26.881000",
"created": "2025-11-02T02:25:47.431000",
"tags": [
"public tlp",
"trojandropper",
"other",
"references add",
"show",
"provide",
"remote",
"t1457",
"media content",
"t1480",
"subvert trust",
"controls t1562",
"modify tools",
"command history",
"ck t1027",
"t1057",
"discovery t1069",
"t1071",
"protocol t1105",
"tool transfer",
"t1113",
"logging t1568",
"t1574",
"execution flow",
"dll sideloading",
"t1583",
"ta0003",
"ck id",
"america",
"att",
"t1045",
"capture t1140",
"ipv4",
"active related",
"contact",
"adversary",
"tam legal",
"qshell",
"colorado state",
"ahmann special",
"counsel",
"download",
"ahmann",
"university",
"history",
"john marshall",
"law school",
"special counsel",
"christopher ahmann",
"defense",
"url http",
"create new",
"pulse provide",
"white",
"adversary tags",
"add tag",
"groups add",
"countries add",
"country malware",
"trojan",
"script urls",
"treece alfrey",
"meta",
"function",
"for privacy",
"germany unknown",
"united",
"script",
"ip address",
"creation date",
"date",
"tracker",
"null",
"window",
"general full",
"reverse dns",
"server",
"philadelphia",
"asn8560",
"ionosas",
"ionos",
"fasthosts",
"media",
"telecom",
"apache",
"main",
"gtagtracker",
"gatracker",
"brian sabey",
"hall render",
"fastly error",
"palantir",
"special counsel",
"gravity rat"
],
"references": [
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim",
"Traceback- Man with signal jammer/ deauther working around her today.",
"Absolutely zero regard for the victims who facilitate your luxury lifestyle.",
"Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?",
"You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!",
"This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.",
"He began a smear campaign immediately and is directly linked to Hall Render and Palantir",
"Doing any evil thing for mone does not compute for me.",
"I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.",
"He must be very scary like Peter Theil because every attorney took case then backed off.",
"Patiently waiting to see what God is going to do to all of you. You take lives for $",
"Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?",
"So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose",
"On same block with HalkRender. Has close working relationship. All Palantir legal enities"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Other",
"display_name": "Other",
"target": null
},
{
"id": "Win.Malware.Unsafe",
"display_name": "Win.Malware.Unsafe",
"target": null
},
{
"id": "Juko",
"display_name": "Juko",
"target": null
},
{
"id": "Expiro",
"display_name": "Expiro",
"target": null
},
{
"id": "Trojan:Win32/Generic",
"display_name": "Trojan:Win32/Generic",
"target": "/malware/Trojan:Win32/Generic"
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6905d40f781d7d58d4021a20",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7556,
"domain": 4779,
"hostname": 2053,
"FileHash-SHA256": 7233,
"FileHash-MD5": 474,
"FileHash-SHA1": 470,
"CVE": 4,
"email": 4
},
"indicator_count": 22573,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "139 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ee5ea4d51d4a1cabdb4ee9",
"name": "Gaming Studios - YouTube - MyDoom",
"description": "",
"modified": "2025-11-13T12:05:32.283000",
"created": "2025-10-14T14:31:00.172000",
"tags": [
"no expiration",
"url https",
"url http",
"iocs",
"ipv4",
"enter source",
"indicator role",
"title added",
"active related",
"united",
"present jul",
"unknown ns",
"search",
"for privacy",
"moved",
"ip address",
"encrypt",
"a domains",
"script urls",
"meta",
"pragma",
"general full",
"reverse dns",
"software",
"resource",
"security tls",
"piscataway",
"asn20473",
"asn15169",
"google",
"asvultr",
"portfolio",
"josh theriault",
"upei",
"university",
"island",
"roblox",
"jmt studios",
"moon engine",
"android",
"icpc",
"north america",
"qualifier",
"hello",
"apache",
"runner",
"eric everest",
"games",
"cloudflar",
"amazon02",
"as autonomous",
"system",
"canada",
"value",
"domainpath name",
"cgjerrieegaggq",
"name value",
"form",
"game development",
"blog",
"jmt99",
"developer",
"event",
"bullseye",
"trick or treat",
"unofficial trick or treat 2014",
"unofficial trick or treat 2015",
"egg hunt",
"gift hunt",
"hallows quest",
"studio",
"experience",
"fall",
"january",
"july",
"founder",
"studio head",
"passive dns",
"urls",
"registrar",
"title",
"roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"",
"press copyright",
"contact",
"privacy policy",
"safety how",
"youtube",
"test",
"nfl sunday",
"ticket",
"google llc",
"data upload",
"extraction",
"failed",
"files",
"twitter",
"variables",
"cgjjtbieggagla",
"nid value",
"expiration date",
"files ip",
"dynamicloader",
"write c",
"delete c",
"intel",
"ms windows",
"medium",
"default",
"write",
"guard",
"mozilla",
"malware",
"defender",
"unknown",
"domains",
"hashes",
"url analysis",
"unknown aaaa",
"script domains",
"certificate",
"game",
"servers",
"unofficial",
"settings",
"public",
"endpoints",
"currently",
"game servers",
"current",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"role title",
"related pulses",
"domain v",
"url indicator",
"nameilname",
"ascii text",
"mitre att",
"ck id",
"ck matrix",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"pe file",
"high",
"yara detections",
"dynamic",
"v hostname",
"se fos",
"include v",
"domain url",
"data",
"alltypes",
"win32mydoom oct",
"trojan",
"url add",
"http",
"related nids",
"files location",
"canada flag",
"canada hostname",
"canada unknown",
"canada",
"present aug",
"name servers",
"present sep",
"aaaa",
"present oct",
"crlf line",
"unicode text",
"music",
"suspicious",
"bricked.wtf",
"flag united",
"google safe",
"domain",
"address domain",
"united states",
"filehashsha256",
"hostname xn",
"finland unknown",
"filehashmd5",
"indicators hong",
"kong",
"south korea",
"present jun",
"present mar",
"present may",
"olet",
"cnr12",
"tlsv1",
"get updates",
"upatre",
"added active",
"apple",
"everest",
"josh paul",
"upadter",
"convagent",
"info stealing",
"delete service",
"phishing",
"fraud",
"social engineering",
"gamer",
"hacker",
"adversaries",
"icloud",
"found",
"gmt content",
"error",
"redacted for",
"meta http",
"content",
"gmt server",
"france unknown",
"poland unknown",
"content type",
"xml title",
"hostname add",
"address",
"location united",
"life",
"century link llc",
"xfinity",
"livesex",
"domain add",
"users",
"show",
"delete",
"blocked by quad9",
"showing",
"record value",
"location canada",
"canada asn",
"accept",
"cookie",
"macbook",
"ipv4 add",
"america flag",
"america asn",
"asn as714",
"less",
"woodynet",
"next associated",
"status",
"exclude sugges",
"ip related",
"t1027.013"
],
"references": [
"https://www.jmtstudios.org/farewell/",
"https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw",
"graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system",
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html",
"ConventionEngine_Term_Dropbox \u2022 Dropbox",
"http://api.jmtstudios.org/",
"bricked.wtf",
"ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com",
"http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com",
"careersandenterprise.appleid.com \u2022 http://apple.appleid.com/",
"https://forwardemail.net/es/blog/open-source/apple-email-clients",
"accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud",
"http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link",
"http://www.visitbooker.com/Dropbox-07/index.htm",
"dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/",
"Appears to be closely associated with close relative and initial victim of attack.",
"Potentially disturbing , personal , invasive, aggressive, intimate behavior of party."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Hong Kong",
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Convagent-9981433-0",
"display_name": "Win.Malware.Convagent-9981433-0",
"target": null
},
{
"id": "Upadter",
"display_name": "Upadter",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6996,
"FileHash-MD5": 281,
"FileHash-SHA1": 220,
"FileHash-SHA256": 2673,
"domain": 1747,
"email": 24,
"hostname": 2803,
"SSLCertFingerprint": 3
},
"indicator_count": 14747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "157 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "messagingengine.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "messagingengine.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776616716.5039353
}