{
  "type": "Domain",
  "indicator": "mexico.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/mexico.com",
    "alexa": "http://www.alexa.com/siteinfo/mexico.com",
    "indicator": "mexico.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 112893,
      "indicator": "mexico.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 7,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65c4b7b44b63ea6ea0c503d8",
          "name": "Sabey targeting | Gains access to premier Denver Recording Studio",
          "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.",
          "modified": "2024-03-09T10:04:19.572000",
          "created": "2024-02-08T11:15:00.329000",
          "tags": [
            "malware",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "report spam",
            "author",
            "cyber espionage",
            "studio created",
            "minutes ago",
            "white goldmax",
            "sibot",
            "goldfinder",
            "python",
            "indicator role",
            "title added",
            "active related",
            "pulses url",
            "entries",
            "url http",
            "pulses cve",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "analyze",
            "hostnames",
            "urls http",
            "sample",
            "urls https",
            "filehashsha1",
            "filehashmd5",
            "ipv4",
            "types of",
            "united kingdom",
            "united",
            "india",
            "china",
            "search",
            "pega type",
            "united states",
            "url https",
            "added active",
            "related pulses",
            "backdoor type",
            "discovery",
            "command",
            "all octoseek",
            "formbook",
            "goldmax",
            "ransomware",
            "njrat",
            "hacktool",
            "maui ransomware",
            "worm",
            "next",
            "type indicator",
            "role title",
            "go",
            "sabey",
            "tulach",
            "targeting tsara brashears",
            "utah",
            "whois record",
            "contacted",
            "ssl certificate",
            "referrer",
            "whois whois",
            "resolutions",
            "collections",
            "bundled",
            "execution",
            "lokibot",
            "tracer tool",
            "c2",
            "command and control",
            "sabey",
            "targeting",
            "hacking apple"
          ],
          "references": [
            "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)",
            "https://sabeydatacenters.com/",
            "sabeydatacenters.com",
            "4jslg.sabeydatacenters.com",
            "https://sabeydatacenters.com/",
            "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0",
            "https://tulach.cc/ |   [phishing | malware engineering]",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/  [ phishing | data collection | property theft | target]",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
            "nr-data.net  [Apple Private Data Collection]"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Sibot",
              "display_name": "Sibot",
              "target": null
            },
            {
              "id": "GoldFinder",
              "display_name": "GoldFinder",
              "target": null
            },
            {
              "id": "Go",
              "display_name": "Go",
              "target": null
            },
            {
              "id": "NjRAT",
              "display_name": "NjRAT",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Maui Ransomware",
              "display_name": "Maui Ransomware",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1043",
              "name": "Commonly Used Port",
              "display_name": "T1043 - Commonly Used Port"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1215",
              "name": "Kernel Modules and Extensions",
              "display_name": "T1215 - Kernel Modules and Extensions"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1491",
              "name": "Defacement",
              "display_name": "T1491 - Defacement"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Entertainment",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 24,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 422,
            "domain": 240,
            "hostname": 495,
            "CVE": 1,
            "FileHash-MD5": 75,
            "FileHash-SHA1": 73,
            "FileHash-SHA256": 843,
            "email": 2
          },
          "indicator_count": 2151,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "813 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6553b88c316cfb531b9c4c10",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com",
          "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-14T18:12:28.459000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 28,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 222,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568ab12429c394dc4b91ea",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go",
          "description": "",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-16T21:33:37.838000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6553b88c316cfb531b9c4c10",
          "export_count": 22,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6552d60aae6e1b3c22455088",
          "name": "Hive 0065",
          "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
          "modified": "2023-12-13T16:00:45.799000",
          "created": "2023-11-14T02:06:02.329000",
          "tags": [
            "united",
            "as8075",
            "creation date",
            "unknown",
            "search",
            "entries",
            "asnone country",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "related domains",
            "show",
            "domain related",
            "xbox",
            "whois record",
            "contacted",
            "whois whois",
            "ssl certificate",
            "communicating",
            "referrer",
            "execution",
            "historical ssl",
            "bundled",
            "family",
            "lolkek",
            "formbook",
            "skynet",
            "lockbit",
            "ursnif",
            "attack",
            "core"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 4276,
            "email": 3,
            "hostname": 2288,
            "FileHash-MD5": 51,
            "FileHash-SHA1": 49,
            "FileHash-SHA256": 2756,
            "URL": 8696,
            "CVE": 1
          },
          "indicator_count": 18120,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "900 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6552d6f5f56d2e9cd9e18a30",
          "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
          "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
          "modified": "2023-12-13T16:00:45.799000",
          "created": "2023-11-14T02:09:57.370000",
          "tags": [
            "united",
            "as8075",
            "creation date",
            "unknown",
            "search",
            "entries",
            "asnone country",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "related domains",
            "show",
            "domain related",
            "xbox",
            "whois record",
            "contacted",
            "whois whois",
            "ssl certificate",
            "communicating",
            "referrer",
            "execution",
            "historical ssl",
            "bundled",
            "family",
            "lolkek",
            "formbook",
            "skynet",
            "lockbit",
            "ursnif",
            "attack",
            "core"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 4276,
            "email": 3,
            "hostname": 2288,
            "FileHash-MD5": 51,
            "FileHash-SHA1": 49,
            "FileHash-SHA256": 2756,
            "URL": 8696,
            "CVE": 1
          },
          "indicator_count": 18120,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "900 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568b00198f82af2e88d463",
          "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
          "description": "",
          "modified": "2023-12-13T16:00:45.799000",
          "created": "2023-11-16T21:34:56.016000",
          "tags": [
            "united",
            "as8075",
            "creation date",
            "unknown",
            "search",
            "entries",
            "asnone country",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "related domains",
            "show",
            "domain related",
            "xbox",
            "whois record",
            "contacted",
            "whois whois",
            "ssl certificate",
            "communicating",
            "referrer",
            "execution",
            "historical ssl",
            "bundled",
            "family",
            "lolkek",
            "formbook",
            "skynet",
            "lockbit",
            "ursnif",
            "attack",
            "core"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6552d6f5f56d2e9cd9e18a30",
          "export_count": 21,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 4276,
            "email": 3,
            "hostname": 2288,
            "FileHash-MD5": 51,
            "FileHash-SHA1": 49,
            "FileHash-SHA256": 2756,
            "URL": 8696,
            "CVE": 1
          },
          "indicator_count": 18120,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 231,
          "modified_text": "900 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
        "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0",
        "home.toshiba.com",
        "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
        "http://mobile.suddenlink2go.com/",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "ytq2rs56.haogfw.com",
        "4jslg.sabeydatacenters.com",
        "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
        "https://tulach.cc/ |   [phishing | malware engineering]",
        "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)",
        "pornhub.com",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/  [ phishing | data collection | property theft | target]",
        "myhughesnet.com",
        "sabeydatacenters.com",
        "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
        "https://sabeydatacenters.com/",
        "https://monitor.rodgersmith.com",
        "nr-data.net  [Apple Private Data Collection]",
        "https://www.everycloudtech.com/free-mail-flow-monitor",
        "dishmail.net",
        "https://applemusic-spotlight.myunidays.com/US/en-US?",
        "monitor.cablelan.net"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [],
          "malware_families": [
            "Trojanspy",
            "Goldfinder",
            "Hacktool",
            "Ransomware",
            "Sibot",
            "Go",
            "Maltiverse",
            "Sabey",
            "Maui ransomware",
            "Tulach",
            "Njrat"
          ],
          "industries": [
            "Entertainment",
            "Telecommunications",
            "Technology"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 7,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "65c4b7b44b63ea6ea0c503d8",
      "name": "Sabey targeting | Gains access to premier Denver Recording Studio",
      "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.",
      "modified": "2024-03-09T10:04:19.572000",
      "created": "2024-02-08T11:15:00.329000",
      "tags": [
        "malware",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "report spam",
        "author",
        "cyber espionage",
        "studio created",
        "minutes ago",
        "white goldmax",
        "sibot",
        "goldfinder",
        "python",
        "indicator role",
        "title added",
        "active related",
        "pulses url",
        "entries",
        "url http",
        "pulses cve",
        "threat analyzer",
        "threat",
        "paste",
        "iocs",
        "analyze",
        "hostnames",
        "urls http",
        "sample",
        "urls https",
        "filehashsha1",
        "filehashmd5",
        "ipv4",
        "types of",
        "united kingdom",
        "united",
        "india",
        "china",
        "search",
        "pega type",
        "united states",
        "url https",
        "added active",
        "related pulses",
        "backdoor type",
        "discovery",
        "command",
        "all octoseek",
        "formbook",
        "goldmax",
        "ransomware",
        "njrat",
        "hacktool",
        "maui ransomware",
        "worm",
        "next",
        "type indicator",
        "role title",
        "go",
        "sabey",
        "tulach",
        "targeting tsara brashears",
        "utah",
        "whois record",
        "contacted",
        "ssl certificate",
        "referrer",
        "whois whois",
        "resolutions",
        "collections",
        "bundled",
        "execution",
        "lokibot",
        "tracer tool",
        "c2",
        "command and control",
        "sabey",
        "targeting",
        "hacking apple"
      ],
      "references": [
        "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)",
        "https://sabeydatacenters.com/",
        "sabeydatacenters.com",
        "4jslg.sabeydatacenters.com",
        "https://sabeydatacenters.com/",
        "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0",
        "https://tulach.cc/ |   [phishing | malware engineering]",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/  [ phishing | data collection | property theft | target]",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
        "nr-data.net  [Apple Private Data Collection]"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Sibot",
          "display_name": "Sibot",
          "target": null
        },
        {
          "id": "GoldFinder",
          "display_name": "GoldFinder",
          "target": null
        },
        {
          "id": "Go",
          "display_name": "Go",
          "target": null
        },
        {
          "id": "NjRAT",
          "display_name": "NjRAT",
          "target": null
        },
        {
          "id": "HackTool",
          "display_name": "HackTool",
          "target": null
        },
        {
          "id": "Ransomware",
          "display_name": "Ransomware",
          "target": null
        },
        {
          "id": "Sabey",
          "display_name": "Sabey",
          "target": null
        },
        {
          "id": "Tulach",
          "display_name": "Tulach",
          "target": null
        },
        {
          "id": "Maui Ransomware",
          "display_name": "Maui Ransomware",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1033",
          "name": "System Owner/User Discovery",
          "display_name": "T1033 - System Owner/User Discovery"
        },
        {
          "id": "T1043",
          "name": "Commonly Used Port",
          "display_name": "T1043 - Commonly Used Port"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1176",
          "name": "Browser Extensions",
          "display_name": "T1176 - Browser Extensions"
        },
        {
          "id": "T1215",
          "name": "Kernel Modules and Extensions",
          "display_name": "T1215 - Kernel Modules and Extensions"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        },
        {
          "id": "T1491",
          "name": "Defacement",
          "display_name": "T1491 - Defacement"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "TA0037",
          "name": "Command and Control",
          "display_name": "TA0037 - Command and Control"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Entertainment",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 24,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 422,
        "domain": 240,
        "hostname": 495,
        "CVE": 1,
        "FileHash-MD5": 75,
        "FileHash-SHA1": 73,
        "FileHash-SHA256": 843,
        "email": 2
      },
      "indicator_count": 2151,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 224,
      "modified_text": "813 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6553b88c316cfb531b9c4c10",
      "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com",
      "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet",
      "modified": "2023-12-14T15:03:30.417000",
      "created": "2023-11-14T18:12:28.459000",
      "tags": [
        "united",
        "blacklist",
        "malicious site",
        "mail spammer",
        "detection list",
        "cisco umbrella",
        "site",
        "safe site",
        "malware",
        "phishing site",
        "heur",
        "malware site",
        "alexa top",
        "million",
        "unsafe",
        "artemis",
        "riskware",
        "conduit",
        "agent",
        "opencandy",
        "xtrat",
        "iframe",
        "cleaner",
        "team",
        "installpack",
        "xrat",
        "tiggre",
        "presenoker",
        "fusioncore",
        "wacatac",
        "azorult",
        "phishing",
        "service",
        "runescape",
        "facebook",
        "bank",
        "download",
        "crack",
        "softcnapp",
        "trojanspy",
        "maltiverse",
        "falcon sandbox",
        "pattern match",
        "root ca",
        "authority",
        "class",
        "script",
        "ascii text",
        "mitre att",
        "localappdata",
        "temp",
        "ck id",
        "date",
        "unknown",
        "generator",
        "critical",
        "error",
        "meta",
        "hybrid",
        "general",
        "local",
        "click",
        "strings",
        "expiressun",
        "http response",
        "final url",
        "ip address",
        "status code",
        "body length",
        "kb body",
        "sha256",
        "headers",
        "pt3uc1",
        "path",
        "movies",
        "watch",
        "html info",
        "meta tags",
        "suddenlink tv",
        "trackers amazon",
        "pt3rc1",
        "whois record",
        "whois whois",
        "ssl certificate",
        "historical",
        "historical ssl",
        "referrer",
        "communicating",
        "dropped",
        "contacted",
        "apple ios",
        "hacktool",
        "metro",
        "malicious",
        "crypto",
        "installer",
        "attack",
        "awful",
        "brian sabey",
        "aig",
        "civicaIg",
        "tracking",
        "password crack",
        "tulach",
        "target tsara brashears",
        "tylerknott",
        "att",
        "monitoring",
        "spyware",
        "spying",
        "cybercrime",
        "tulach",
        "hughesnet",
        "ios",
        "toshiba",
        "attack",
        "malvertizing",
        "cyber stalking",
        "porn",
        "pornhub"
      ],
      "references": [
        "http://mobile.suddenlink2go.com/",
        "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
        "https://applemusic-spotlight.myunidays.com/US/en-US?",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "myhughesnet.com",
        "dishmail.net",
        "home.toshiba.com",
        "ytq2rs56.haogfw.com",
        "pornhub.com",
        "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
        "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
        "monitor.cablelan.net",
        "https://monitor.rodgersmith.com",
        "https://www.everycloudtech.com/free-mail-flow-monitor"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "TrojanSpy",
          "display_name": "TrojanSpy",
          "target": null
        },
        {
          "id": "Maltiverse",
          "display_name": "Maltiverse",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1100",
          "name": "Web Shell",
          "display_name": "T1100 - Web Shell"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 28,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 144,
        "FileHash-SHA1": 179,
        "FileHash-SHA256": 4528,
        "CVE": 7,
        "domain": 2024,
        "hostname": 3556,
        "URL": 10455
      },
      "indicator_count": 20893,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 222,
      "modified_text": "899 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "65568ab12429c394dc4b91ea",
      "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go",
      "description": "",
      "modified": "2023-12-14T15:03:30.417000",
      "created": "2023-11-16T21:33:37.838000",
      "tags": [
        "united",
        "blacklist",
        "malicious site",
        "mail spammer",
        "detection list",
        "cisco umbrella",
        "site",
        "safe site",
        "malware",
        "phishing site",
        "heur",
        "malware site",
        "alexa top",
        "million",
        "unsafe",
        "artemis",
        "riskware",
        "conduit",
        "agent",
        "opencandy",
        "xtrat",
        "iframe",
        "cleaner",
        "team",
        "installpack",
        "xrat",
        "tiggre",
        "presenoker",
        "fusioncore",
        "wacatac",
        "azorult",
        "phishing",
        "service",
        "runescape",
        "facebook",
        "bank",
        "download",
        "crack",
        "softcnapp",
        "trojanspy",
        "maltiverse",
        "falcon sandbox",
        "pattern match",
        "root ca",
        "authority",
        "class",
        "script",
        "ascii text",
        "mitre att",
        "localappdata",
        "temp",
        "ck id",
        "date",
        "unknown",
        "generator",
        "critical",
        "error",
        "meta",
        "hybrid",
        "general",
        "local",
        "click",
        "strings",
        "expiressun",
        "http response",
        "final url",
        "ip address",
        "status code",
        "body length",
        "kb body",
        "sha256",
        "headers",
        "pt3uc1",
        "path",
        "movies",
        "watch",
        "html info",
        "meta tags",
        "suddenlink tv",
        "trackers amazon",
        "pt3rc1",
        "whois record",
        "whois whois",
        "ssl certificate",
        "historical",
        "historical ssl",
        "referrer",
        "communicating",
        "dropped",
        "contacted",
        "apple ios",
        "hacktool",
        "metro",
        "malicious",
        "crypto",
        "installer",
        "attack",
        "awful",
        "brian sabey",
        "aig",
        "civicaIg",
        "tracking",
        "password crack",
        "tulach",
        "target tsara brashears",
        "tylerknott",
        "att",
        "monitoring",
        "spyware",
        "spying",
        "cybercrime",
        "tulach",
        "hughesnet",
        "ios",
        "toshiba",
        "attack",
        "malvertizing",
        "cyber stalking",
        "porn",
        "pornhub"
      ],
      "references": [
        "http://mobile.suddenlink2go.com/",
        "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
        "https://applemusic-spotlight.myunidays.com/US/en-US?",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "myhughesnet.com",
        "dishmail.net",
        "home.toshiba.com",
        "ytq2rs56.haogfw.com",
        "pornhub.com",
        "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
        "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
        "monitor.cablelan.net",
        "https://monitor.rodgersmith.com",
        "https://www.everycloudtech.com/free-mail-flow-monitor"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "TrojanSpy",
          "display_name": "TrojanSpy",
          "target": null
        },
        {
          "id": "Maltiverse",
          "display_name": "Maltiverse",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1100",
          "name": "Web Shell",
          "display_name": "T1100 - Web Shell"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "6553b88c316cfb531b9c4c10",
      "export_count": 22,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 144,
        "FileHash-SHA1": 179,
        "FileHash-SHA256": 4528,
        "CVE": 7,
        "domain": 2024,
        "hostname": 3556,
        "URL": 10455
      },
      "indicator_count": 20893,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 228,
      "modified_text": "899 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6552d60aae6e1b3c22455088",
      "name": "Hive 0065",
      "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
      "modified": "2023-12-13T16:00:45.799000",
      "created": "2023-11-14T02:06:02.329000",
      "tags": [
        "united",
        "as8075",
        "creation date",
        "unknown",
        "search",
        "entries",
        "asnone country",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "related domains",
        "show",
        "domain related",
        "xbox",
        "whois record",
        "contacted",
        "whois whois",
        "ssl certificate",
        "communicating",
        "referrer",
        "execution",
        "historical ssl",
        "bundled",
        "family",
        "lolkek",
        "formbook",
        "skynet",
        "lockbit",
        "ursnif",
        "attack",
        "core"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 4276,
        "email": 3,
        "hostname": 2288,
        "FileHash-MD5": 51,
        "FileHash-SHA1": 49,
        "FileHash-SHA256": 2756,
        "URL": 8696,
        "CVE": 1
      },
      "indicator_count": 18120,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 226,
      "modified_text": "900 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6552d6f5f56d2e9cd9e18a30",
      "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
      "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
      "modified": "2023-12-13T16:00:45.799000",
      "created": "2023-11-14T02:09:57.370000",
      "tags": [
        "united",
        "as8075",
        "creation date",
        "unknown",
        "search",
        "entries",
        "asnone country",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "related domains",
        "show",
        "domain related",
        "xbox",
        "whois record",
        "contacted",
        "whois whois",
        "ssl certificate",
        "communicating",
        "referrer",
        "execution",
        "historical ssl",
        "bundled",
        "family",
        "lolkek",
        "formbook",
        "skynet",
        "lockbit",
        "ursnif",
        "attack",
        "core"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 4276,
        "email": 3,
        "hostname": 2288,
        "FileHash-MD5": 51,
        "FileHash-SHA1": 49,
        "FileHash-SHA256": 2756,
        "URL": 8696,
        "CVE": 1
      },
      "indicator_count": 18120,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 225,
      "modified_text": "900 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "65568b00198f82af2e88d463",
      "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
      "description": "",
      "modified": "2023-12-13T16:00:45.799000",
      "created": "2023-11-16T21:34:56.016000",
      "tags": [
        "united",
        "as8075",
        "creation date",
        "unknown",
        "search",
        "entries",
        "asnone country",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "related domains",
        "show",
        "domain related",
        "xbox",
        "whois record",
        "contacted",
        "whois whois",
        "ssl certificate",
        "communicating",
        "referrer",
        "execution",
        "historical ssl",
        "bundled",
        "family",
        "lolkek",
        "formbook",
        "skynet",
        "lockbit",
        "ursnif",
        "attack",
        "core"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": "6552d6f5f56d2e9cd9e18a30",
      "export_count": 21,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 4276,
        "email": 3,
        "hostname": 2288,
        "FileHash-MD5": 51,
        "FileHash-SHA1": 49,
        "FileHash-SHA256": 2756,
        "URL": 8696,
        "CVE": 1
      },
      "indicator_count": 18120,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 231,
      "modified_text": "900 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "mexico.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "mexico.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780247309.386252
}