{
  "type": "Domain",
  "indicator": "microad.jp",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/microad.jp",
    "alexa": "http://www.alexa.com/siteinfo/microad.jp",
    "indicator": "microad.jp",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #3530",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain microad.jp",
        "name": "Whitelisted domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain microad.jp",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 3531488029,
      "indicator": "microad.jp",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 17,
      "pulses": [
        {
          "id": "69ca5d583057aaefed16789a",
          "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
          "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
          "modified": "2026-04-29T11:26:13.615000",
          "created": "2026-03-30T11:24:08.053000",
          "tags": [
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file type",
            "default",
            "sha256",
            "sha1",
            "data",
            "info",
            "accept",
            "win64",
            "damage",
            "openssl",
            "shutdown",
            "direct",
            "explorer",
            "title",
            "payload",
            "rdap",
            "ip version",
            "address range",
            "cidr",
            "network name",
            "allocation type",
            "whois server",
            "entity sg679",
            "handle",
            "stealc config",
            "cncs http"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 351,
            "URL": 392,
            "FileHash-MD5": 149,
            "FileHash-SHA1": 168,
            "FileHash-SHA256": 197,
            "email": 12,
            "hostname": 68,
            "CIDR": 4
          },
          "indicator_count": 1341,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "33 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "695089cbedad5c86f39b1363",
          "name": "Tracking Domains 03.03.26 (Updated Test)",
          "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.",
          "modified": "2026-04-05T06:35:43.679000",
          "created": "2025-12-28T01:37:15.993000",
          "tags": [
            "privacy badger",
            "sites general",
            "settings widget",
            "domains manage",
            "data privacy",
            "badger",
            "hide"
          ],
          "references": [
            "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
            "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
            "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
            "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
            "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
            "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Netherlands"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 50404,
            "hostname": 10879,
            "URL": 715,
            "FileHash-MD5": 1
          },
          "indicator_count": 61999,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 132,
          "modified_text": "57 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6958372ef9da31513d96bebb",
          "name": "Connected-IOS remotely connected to 180.4.1.2 \u2022  ocn.ad.jp -NTT Communications Corporation",
          "description": "Retaliation? IOS remotely connected to 180.4.1.2 \u2022  ocn.ad.jp -NTT Communications Corporation for malicious control | found in the analytics of a highly target device: I\u2019ve included related pulses from 2 other threat responders and an Apple discussion post. Surprisingly, most of the IoC\u2019s pulsed came from one page of analytics. | \u2022 \"avconferenced\", \"procPath\" : \"\\/usr\\/libexec\\/avconferenced |  180.4.1.2 | a version of\npegasus found. | https://prometheus-pushgateway-internal.preview.tp-staging.com/\t\nhostname: prometheus.netmaker.vonnue.dev\t\nhostname: prometheus.dev.aws.finoa.io |\nSince Prometheus pulse . I realize now every Prometheus pulse illicits outrageous behavior.. Is this a secret society? Try to be more secretive. Owl heads in lawn. This behavior illicits investigation for a fix. Please STOP. I\u2019m done looking at Prometheus. Please stop leaving artifacts.",
          "modified": "2026-02-01T20:00:08.812000",
          "created": "2026-01-02T21:22:54.247000",
          "tags": [
            "syscall",
            "nsrunloop",
            "objcclass",
            "region type",
            "start",
            "vsize",
            "prtmax shrmod",
            "region detailn",
            "unused space",
            "at startn",
            "guard",
            "urls",
            "url analysis",
            "verdict",
            "domain",
            "address",
            "location japan",
            "hikone",
            "japan asn",
            "as4713 ntt",
            "related tags",
            "none external",
            "aaaa",
            "united",
            "passive dns",
            "ip address",
            "japan",
            "present dec",
            "domain add",
            "files",
            "japan unknown",
            "present jul",
            "present oct",
            "present sep",
            "present aug",
            "present jun",
            "japan showing",
            "urls show",
            "date checked",
            "url hostname",
            "server response",
            "google safe",
            "reverse dns",
            "present nov",
            "present",
            "present may",
            "present mar",
            "present apr",
            "data upload",
            "extraction",
            "failed",
            "files ip",
            "moved",
            "gmt content",
            "ipv4 add",
            "location united",
            "title",
            "ipv4",
            "dns resolutions",
            "hostname add",
            "asn as4713",
            "all ipv4",
            "google",
            "ocn ntt",
            "googlecl",
            "http",
            "amazon02",
            "akamaias",
            "page url",
            "yahoojp",
            "december",
            "jp summary",
            "february",
            "asn15169",
            "tokyo",
            "kansas city",
            "asn396982",
            "asn30286",
            "asn16509",
            "cisco",
            "umbrella rank",
            "cisco umbrella",
            "rank",
            "kitashinagawa",
            "sureserver ev",
            "ca g3",
            "domains",
            "hashes",
            "microsoft",
            "docomo business",
            "ml14325",
            "as autonomous",
            "asn8075",
            "ip information",
            "ipasns ip",
            "detail domain",
            "domain tree",
            "links domain",
            "requested",
            "value",
            "automatic",
            "webgl",
            "please",
            "mr value",
            "muid value",
            "mjl function",
            "dcmlinker",
            "paq string",
            "kb script",
            "b image",
            "b script",
            "frame a344",
            "redirect chain",
            "kb document",
            "frame",
            "b xhr",
            "kb image",
            "fetch collect",
            "request chain",
            "redirected",
            "http redirect",
            "name servers",
            "redacted for",
            "servers",
            "unknown aaaa",
            "search",
            "for privacy",
            "domeny serwery",
            "verdana tahoma",
            "arial",
            "gmt contenttype",
            "meta",
            "small",
            "results jan",
            "present jan",
            "status",
            "record value",
            "windir",
            "openurl c",
            "prefetch2",
            "analysis",
            "tor analysis",
            "process details",
            "flag",
            "japan japan",
            "pattern match",
            "ascii text",
            "mitre att",
            "ck id",
            "null",
            "refresh",
            "span",
            "hybrid",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "learn",
            "name tactics",
            "suspicious",
            "informative",
            "adversaries",
            "spawns",
            "command",
            "found",
            "defense evasion",
            "monitored target",
            "pulse submit",
            "wikipedia",
            "imap",
            "smtp",
            "ocn open",
            "discussion",
            "stub",
            "jprs database",
            "ocnnttocn",
            "maintenance",
            "outages notice",
            "lock status",
            "state",
            "connected",
            "organization",
            "type",
            "name",
            "server",
            "name server",
            "connected date",
            "algorithm",
            "key identifier",
            "data",
            "v3 serial",
            "number",
            "cjp ocybertrust",
            "ev ca",
            "g3 validity",
            "ku ontt",
            "docomo",
            "record type",
            "ttl value",
            "thumbprint",
            "emails",
            "date",
            "trojan",
            "pegasus",
            "title error",
            "hostname",
            "pulse pulses",
            "entries",
            "mtb apr",
            "lowfi",
            "win32",
            "a domains",
            "body",
            "worm",
            "virtool",
            "cybota",
            "showing",
            "palantir",
            "prometheus"
          ],
          "references": [
            "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp",
            "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp",
            "ocn.ad.jp - Registrant Org: NTT Communications Corporation",
            "Page Title:  \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN",
            "Nippon Telegraph and Telephone Corporation one governmental now privated",
            "computersandsoftware \u2022 portal sites \u2022 search engines and portals",
            "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com",
            "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2",
            "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80",
            "https://discussions.apple.com/thread/255214328?sortBy=rank",
            "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators",
            "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact",
            "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com",
            "swarm-foundry.com",
            "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org  Domain kinkfuck.com \u2022 nobodycares.art",
            "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com",
            "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5",
            "server-3-164-143-102.nrt20.r.cloudfront.net",
            "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com",
            "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com",
            "https://ww41.porn25.com/",
            "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA",
            "If something curious is found on privatelybowen property we have a constitutional  right to examine it.",
            "Other constitutional rights and privileges written in law where severe courses of action is allowed",
            "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..",
            "Device targeted with l RMS Modules by male in Denver, Co",
            "Attempts to clip target at high rate of speed.Seen again at her residence in October",
            "Target was monitored in store and followed home needed to stop multiple times , change routes.",
            "Multiple attackers. Don\u2019t believe me, look at the pulses.  Caged in by male with deauther watch.",
            "Most of the people doing this are  50\u2019s plus, plus. There are youngsters but many grey haired , grandparents",
            "The older the smarter the way better. These people are brilliant , ruthless and dangerous",
            "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.",
            "Malicious activity seen since a Pulse regarding school outage.",
            "Location search was used to find device users address. It\u2019s with me.",
            "Delete service is being used on this Threat service",
            "Many indicators point to an IP this block is on.",
            "It\u2019s so out of hand,m for 16 people.",
            "https://prometheus-pushgateway-internal.preview.tp-staging.com/",
            "prometheus.netmaker.vonnue.dev",
            "prometheus.dev.aws.finoa.io",
            "Prometheus - Alien God? Morality through the eyes of the immoral",
            "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God."
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 2879,
            "domain": 1372,
            "URL": 5788,
            "FileHash-SHA256": 1720,
            "CVE": 1,
            "FileHash-MD5": 238,
            "FileHash-SHA1": 241,
            "email": 13
          },
          "indicator_count": 12252,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "119 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64ed117e2308a042e50e1e9e",
          "name": "Investigation of Distribution Vectors and Threat Network Infrastructure",
          "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.",
          "modified": "2025-11-23T23:20:07.571000",
          "created": "2023-08-28T21:28:30.294000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary",
            "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac",
            "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a",
            "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d",
            "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary",
            "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327",
            "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042",
            "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984",
            "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5",
            "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53",
            "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7",
            "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8",
            "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500",
            "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary",
            "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9",
            "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs",
            "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark",
            "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602",
            "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
            "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
            "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b",
            "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7",
            "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c",
            "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188",
            "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f",
            "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark",
            "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light",
            "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark",
            "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs",
            "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076",
            "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs",
            "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c",
            "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs",
            "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark",
            "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f",
            "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs",
            "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark",
            "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark",
            "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark",
            "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark",
            "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark",
            "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886",
            "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs",
            "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs",
            "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs",
            "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 111,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 236,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1421,
            "URL": 9580,
            "CIDR": 30,
            "domain": 10205,
            "email": 12,
            "hostname": 517612,
            "IPv4": 11,
            "CVE": 62
          },
          "indicator_count": 539308,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 146,
          "modified_text": "189 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "691b61e16cea7624a6606a69",
          "name": "For Later",
          "description": "***",
          "modified": "2025-11-17T18:46:19.094000",
          "created": "2025-11-17T17:56:49.875000",
          "tags": [
            "wormhole",
            "want",
            "sign",
            "submit send",
            "copy",
            "share show",
            "report delete",
            "faq roadmap",
            "security legal",
            "twitter discord",
            "protected"
          ],
          "references": [
            "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 72127,
            "hostname": 16700,
            "URL": 50
          },
          "indicator_count": 88877,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 131,
          "modified_text": "195 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "67f5555b6ce863d998e83e26",
          "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net",
          "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-<UUID>.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.",
          "modified": "2025-05-11T19:03:59.885000",
          "created": "2025-04-08T16:56:59.641000",
          "tags": [
            "generated from",
            "do not",
            "edit uri",
            "urls",
            "edit",
            "rewriteengine",
            "rewritecond",
            "rewriterule",
            "r301",
            "xml2encalias",
            "beralloct",
            "berbvarrayadd",
            "berbvarrayfree",
            "berbvdup",
            "berbvecadd",
            "berbvecfree",
            "berbvfree",
            "berdump",
            "berdup",
            "berdupbv",
            "laerrordomain",
            "laerrornoncekey",
            "lamechanismtree",
            "lacontext",
            "ladomainstate",
            "laenvironment",
            "lanotification",
            "laprivatekey",
            "lapublickey",
            "laright",
            "apple swift",
            "o librarylevel",
            "combine import",
            "foundation",
            "swift import",
            "mcpeerid",
            "mcsession",
            "property",
            "copyright",
            "protocol",
            "class",
            "bonjour",
            "ascii lowercase",
            "abc company",
            "section",
            "bonjour txt",
            "note",
            "ui element",
            "utf8 encoding",
            "nscopying",
            "nsdictionary",
            "nsstring",
            "mcextern",
            "attribute",
            "mcextern extern",
            "mcexternweak",
            "nsenum",
            "nsinteger",
            "mcerrorcode",
            "mcerrorunknown",
            "mcerrortimedout",
            "peer",
            "example",
            "bonjour apis",
            "stop",
            "tags",
            "session",
            "nsprogress",
            "nserror",
            "nsurl",
            "nsarray",
            "create",
            "nsuinteger",
            "notifies",
            "mcsession api",
            "interface",
            "dbictrace",
            "dbivporth",
            "dbictracelevel",
            "dbdtffoo",
            "dbihseterrchar",
            "dbicstate",
            "dbictraceflags",
            "provides macros",
            "dbi release",
            "only",
            "sqlsuccess",
            "odbc",
            "sqlok",
            "tim bunce",
            "england",
            "sql cli",
            "sql datatype",
            "sqlguid",
            "sqlwlongvarchar",
            "main",
            "beware",
            "sv sth",
            "sv dbh",
            "impsth",
            "impdbh",
            "sv keysv",
            "sv params",
            "sv attr",
            "sv attribs",
            "sv drh",
            "void",
            "fri jul",
            "mixed",
            "dbixsrevision",
            "plsvundef",
            "license",
            "spagain",
            "perlioprintf",
            "dbiclogpio",
            "putback",
            "ireland",
            "gnu general",
            "super",
            "magic",
            "dbicflags",
            "dbis",
            "svrv",
            "null",
            "imp2com",
            "dbicactivekids",
            "dbicfiadestroy",
            "sv h",
            "dbicdbistate",
            "code",
            "copy",
            "refer",
            "trace",
            "error",
            "unknown",
            "hookopcheckh",
            "startexternc",
            "hookopcheckcb",
            "userdata",
            "endexternc",
            "isinternalbuild",
            "kickmcxdforuid",
            "loadappkit",
            "ardconfig",
            "authenticator",
            "dsauthenticator",
            "dsnode",
            "dsrecord",
            "group",
            "hostconfig",
            "apfsvolumelock",
            "apfsvolumerole",
            "aoskgetosinfo",
            "aoskgetuserinfo",
            "aosaddappleid",
            "aosdisablepcs",
            "aosenablepcs",
            "aoslog",
            "aoslogforce",
            "aosrelaycookie",
            "didfailcallback",
            "kaosaccountkey",
            "kapcsbundle",
            "kapcspath",
            "kjsonextension",
            "apcsbucketid",
            "apcsreports",
            "apconfiguration",
            "apversiondata",
            "apversionhelper",
            "systemvolumesvm",
            "name size",
            "identifier",
            "gb disk0s3",
            "devdisk3",
            "apfs container",
            "scheme",
            "physical store",
            "macintosh hd",
            "apfs snapshot",
            "preboot",
            "refs address",
            "size wired",
            "name",
            "version",
            "uuid",
            "linked against",
            "renderer",
            "helper",
            "chrome helper",
            "contains",
            "cloud ui",
            "macintosh",
            "khtml",
            "gecko",
            "ui helper",
            "plugin",
            "service",
            "good",
            "battery power",
            "apfs encryption",
            "jumpcloud go",
            "chrome web",
            "store",
            "privacy badger",
            "flowcrypt",
            "encrypt gmail",
            "simple",
            "google",
            "b2b phone",
            "number",
            "apollo",
            "future",
            "exccrash",
            "sigkill",
            "code signature",
            "invalid",
            "sigabrt",
            "protonvpn",
            "excguard",
            "excbreakpoint",
            "sigtrap",
            "excbadaccess",
            "appl",
            "english",
            "adobe crash",
            "adobe",
            "acrobat dcadobe",
            "processor",
            "uninstaller",
            "assistant",
            "install",
            "cloud",
            "dock",
            "calendar",
            "music",
            "terminal",
            "tips",
            "installer",
            "updater",
            "proton",
            "tools",
            "stub",
            "python",
            "clock",
            "powershell",
            "team",
            "rave scout",
            "cookies",
            "public folder",
            "key cert",
            "sign",
            "crl sign",
            "root ca",
            "authority",
            "public primary",
            "global root",
            "verisign",
            "academic",
            "premium",
            "adaptive",
            "interactive",
            "background",
            "standard",
            "launchd sandbox",
            "s mdworker",
            "agent",
            "command line",
            "progress",
            "yubico",
            "macos13action",
            "disableoverride",
            "disableairdrop",
            "denyactivation",
            "enable",
            "loginwindowtext",
            "jumpcloud",
            "autoupdate",
            "loggingoption",
            "enablefirewall",
            "arm64e",
            "apple m2",
            "mac142",
            "kjqqtw7pqt",
            "daemon",
            "server",
            "open directory",
            "user",
            "account",
            "kerberos admin",
            "kerberos change",
            "device daemon",
            "network",
            "desktop",
            "screensaver",
            "bridge",
            "aesxtsarm",
            "aesecbarm",
            "sha512vngarmhw",
            "sha384vngarmhw",
            "sha256vngarm",
            "sha1vngarm",
            "darwin kernel",
            "wed mar",
            "wkarraycreate",
            "wkbooleancreate",
            "wkcontextcreate",
            "wkdatacreate",
            "wkdatagettypeid",
            "wkdoublecreate",
            "wkframecopyurl",
            "wkgettypeid",
            "wkimagecreate",
            "wkpagecandelete",
            "webview",
            "notice",
            "this software",
            "including",
            "but not",
            "limited to",
            "redistribution",
            "is provided",
            "by apple",
            "direct",
            "damage",
            "apiavailable",
            "webkit",
            "nsswiftname",
            "document",
            "a block",
            "as is",
            "hasinclude",
            "wkdownload",
            "abstract",
            "wkerrorcode",
            "wkerrorunknown",
            "discussion",
            "bool",
            "whether",
            "wkcontentworld",
            "wkwebview",
            "javascript",
            "nsunavailable",
            "vaargs",
            "nsswiftasync",
            "wkswiftasync",
            "wkcookiepolicy",
            "wkswiftuiactor",
            "nshttpcookie",
            "targetosiphone",
            "wknavigation",
            "decides",
            "boolean value",
            "apideprecated",
            "methodkind",
            "wkerrordomain",
            "wkscriptmessage",
            "promise",
            "fulfill",
            "const",
            "url scheme",
            "mark",
            "wkuserscript",
            "targetosvision",
            "param",
            "wkframeinfo",
            "targetosios",
            "pass",
            "window",
            "mime type",
            "link",
            "nsimage",
            "returns",
            "nsset",
            "checks",
            "matches",
            "a boolean",
            "defaults",
            "wkwebextension",
            "cgsize",
            "uiimage",
            "apis",
            "nsdate",
            "wkcontentmode",
            "wkextern",
            "possible",
            "cgfloat",
            "media",
            "cgrect",
            "apiunavailable",
            "framework",
            "nsswiftuiactor",
            "targetoswatch",
            "confirms",
            "apple upgrade",
            "nsstring user",
            "nsobject",
            "provider",
            "apple",
            "password",
            "uicontrol",
            "nscontrol",
            "asuseragerange",
            "check",
            "opaque user",
            "apple id",
            "initiate",
            "asauthorization",
            "operation",
            "state",
            "nserrorenum",
            "nsdata",
            "relying party",
            "asapiavailable",
            "perform",
            "realm",
            "http response",
            "authorization",
            "http",
            "oauth",
            "saml",
            "a byte",
            "nsdata userid",
            "relying",
            "a string",
            "nsdata readdata",
            "bool didwrite",
            "a cose",
            "nsdata first",
            "nsdata second",
            "nsstring name",
            "bool appid",
            "targetosxr",
            "nsstring appid",
            "bluetooth",
            "mdm profile",
            "nsurl url",
            "returns yes",
            "a state",
            "a json",
            "web token",
            "private seckeys",
            "enables",
            "keychain",
            "asswiftsendable",
            "cose algorithm",
            "ecdsa",
            "sha256",
            "cose curve",
            "p256",
            "nullable",
            "bool success",
            "remove",
            "call",
            "complete",
            "initializes",
            "time code",
            "extensions",
            "asextern extern",
            "asextern",
            "nsswiftsendable",
            "prepare",
            "list",
            "nsextension",
            "attempt",
            "nsstring label",
            "creates",
            "nsstring code",
            "a key",
            "webauthn",
            "nssecurecoding",
            "input",
            "output",
            "initialize",
            "nsinteger rank",
            "json",
            "inputs",
            "hash",
            "nsstring origin",
            "settings app",
            "extension",
            "https urls",
            "safari",
            "cancel",
            "nsuuid uuid",
            "r uftpexu",
            "nsmutabledata",
            "vnsdate",
            "mprcjy",
            "postfix",
            "domain",
            "canonical",
            "tables",
            "ldap",
            "post",
            "replace user",
            "address",
            "wietse venema",
            "bugs",
            "mail",
            "aliases",
            "postfix version",
            "restrict",
            "sample",
            "person",
            "basic system",
            "general",
            "reject empty",
            "postfix smtp",
            "ipv6 host",
            "reject",
            "reply",
            "access",
            "prior",
            "hold",
            "info",
            "mail delivery",
            "charset",
            "system",
            "report",
            "postfix dsn",
            "mail returned",
            "this",
            "generic",
            "smtp",
            "isp mail",
            "mime",
            "headerchecks",
            "readme files",
            "filters while",
            "posix",
            "empty",
            "body",
            "write",
            "date",
            "smtp server",
            "specify",
            "mx host",
            "unix password",
            "user unknown",
            "pathbin",
            "postfix queue",
            "unix",
            "cyrus",
            "path",
            "uucp",
            "shell",
            "local",
            "program",
            "agreement",
            "contributor",
            "recipient",
            "contribution",
            "the program",
            "corporation",
            "contributors",
            "product x",
            "as expressly",
            "arch",
            "arch x8664",
            "pipe wall",
            "wimplicit",
            "ranlib",
            "warn",
            "switch",
            "start",
            "systype",
            "outlook",
            "postfix master",
            "begin",
            "server admin",
            "mail backend",
            "modern smtp",
            "iana",
            "many",
            "postfix pipe",
            "recent cyrus",
            "amos gouaux",
            "old example",
            "or even",
            "lutz jaenicke",
            "technology",
            "cottbus",
            "germany",
            "openssl package",
            "openssl project",
            "europe",
            "remember that",
            "use of",
            "file",
            "update",
            "usrsbin",
            "file format",
            "no group",
            "daemondirectory",
            "deliver mail",
            "transport",
            "description",
            "result format",
            "virtual",
            "virtual alias",
            "redirect mail",
            "relocated",
            "matches user",
            "synopsis",
            "lastname",
            "firstname",
            "apple computer",
            "tcpip",
            "supported",
            "quantum",
            "facility",
            "level",
            "level info",
            "broadcast",
            "ignore",
            "rules",
            "sender",
            "automounter map",
            "use directory",
            "get home",
            "home autohome",
            "true",
            "t option",
            "mount",
            "force",
            "environment",
            "automountdenv",
            "promptcommand",
            "shellsessiondir",
            "histfile",
            "histfilesize",
            "myvar",
            "histtimeformat",
            "arrange",
            "bashrematch",
            "tell",
            "ps1h",
            "make bash",
            "s checkwinsize",
            "etcbashrc",
            "termprogram",
            "inpck",
            "nnnbaud",
            "berkeley",
            "parity",
            "pc entry",
            "pass8",
            "parenb istrip",
            "fixed speed",
            "entry",
            "clocal mode",
            "maxhistsize",
            "promptmode",
            "verbose end",
            "etcirbrcloaded",
            "default",
            "setup",
            "history file",
            "kernel",
            "readline",
            "jabber",
            "group database",
            "dovecot",
            "postfix scsd",
            "networkd",
            "searchpaths",
            "freebsd",
            "tmpdir",
            "fcodes",
            "prunepaths",
            "vartmp",
            "prunedirs",
            "filesystems",
            "nroff",
            "manpath",
            "uncomment",
            "manpager",
            "whatispager",
            "manlocale",
            "every",
            "manpath optman",
            "maybe",
            "troff",
            "status mailfrom",
            "returnpath via",
            "pidfile",
            "flags",
            "bcgjnuwz",
            "bin usrsbin",
            "sbin",
            "default pf",
            "care",
            "audio",
            "user database",
            "unix copy",
            "gate daemon",
            "bashno",
            "r etcbashrc",
            "rfc1323",
            "m1460",
            "macos x",
            "signature",
            "linux",
            "opera",
            "xp sp1",
            "windows sp1",
            "nmap syn",
            "m265",
            "synack",
            "mind",
            "macos",
            "warp",
            "ipv6",
            "internet",
            "icmp",
            "cisco",
            "monitoring",
            "argus",
            "chaos",
            "rsvp",
            "encapsulation",
            "aris",
            "isis",
            "netbootmount",
            "netbootshadow",
            "computername",
            "localonly",
            "localnetbootdir",
            "netboot",
            "define",
            "purpose",
            "networkonly",
            "waiting",
            "networkup",
            "term",
            "devnull",
            "common setup",
            "configure",
            "set command",
            "dns hostname",
            "dns query",
            "see also",
            "kame",
            "sunnet manager",
            "rpcsrc",
            "netlicense",
            "ftpd",
            "bindash binksh",
            "binsh bintcsh",
            "jumpcloud ldap",
            "smb2",
            "security",
            "workgroup",
            "standalone",
            "samba server",
            "enforce",
            "smb3",
            "example share",
            "improper use",
            "ctrlc",
            "none",
            "fax reception",
            "hardwired",
            "0007",
            "must",
            "visudo",
            "blocksize",
            "charset lang",
            "language lcall",
            "lines columns",
            "lscolors",
            "sshauthsock",
            "orion",
            "setup user",
            "home",
            "zdotdir",
            "delete",
            "beep",
            "vendor",
            "kf10",
            "kf11",
            "kf12",
            "kf13",
            "backspace",
            "insert",
            "resume",
            "termsessionid",
            "savehist",
            "sharehistory",
            "h do",
            "volume",
            "de l",
            "l uuid",
            "m tra",
            "n est",
            "suuid",
            "prfen",
            "fusion",
            "syst",
            "look",
            "executant",
            "alla",
            "over",
            "test",
            "overie",
            "zapis",
            "rapid",
            "disco usa",
            "de macos",
            "nie s",
            "i denne",
            "adgjmpsvx",
            "diskgthis disk",
            "01k8x j",
            "34disk",
            "levy kytt",
            "dict",
            "array",
            "plist",
            "apple root",
            "code signing",
            "inode64r",
            "xofkoxzh",
            "integer",
            "doctype",
            "brain",
            "abcd",
            "ogwo",
            "boaw",
            "cobwa",
            "uhawavauatsh",
            "ip bitmap",
            "foewdc",
            "could",
            "ip block",
            "funcs",
            "cogwo",
            "trash",
            "double",
            "hunt",
            "affa",
            "carr",
            "crypto",
            "docwbac",
            "q1b0",
            "q1 0",
            "h h5",
            "docwbag",
            "slice",
            "format",
            "zero",
            "alfa",
            "hera",
            "lelei",
            "hehe",
            "hisp",
            "fail",
            "katy",
            "zakk",
            "eodwcbgao",
            "hhk8di",
            "alma",
            "topo",
            "open",
            "huhk",
            "piper",
            "hehx",
            "eh ui",
            "h20hph",
            "hif h",
            "hmhhihqhyla hq",
            "r11b0",
            "target",
            "uus10u",
            "hifh",
            "loghookfailed",
            "loghook",
            "hell",
            "q1b 0",
            "f duh",
            "aqw1",
            "1160"
          ],
          "references": [
            "index.html.en",
            "bind.html",
            "caching.html",
            "BUILDING",
            "configuring.html",
            "content-negotiation.html",
            "custom-error.html",
            "convenience.map",
            "LDAP.tbd",
            "lber.h",
            "ldap.h",
            "LocalAuthentication.tbd",
            "arm64e-apple-macos.swiftinterface",
            "x86_64-apple-ios-macabi.swiftinterface",
            "arm64e-apple-ios-macabi.swiftinterface",
            "x86_64-apple-macos.swiftinterface",
            "MultipeerConnectivity.tbd",
            "module.modulemap",
            "MCNearbyServiceAdvertiser.h",
            "MCPeerID.h",
            "MCError.h",
            "MCNearbyServiceBrowser.h",
            "MCAdvertiserAssistant.h",
            "MultipeerConnectivity.apinotes",
            "MultipeerConnectivity.h",
            "MCSession.h",
            "MCBrowserViewController.h",
            "dbivport.h",
            "dbi_sql.h",
            "dbd_xsh.h",
            "dbixs_rev.h",
            "Driver_xst.h",
            "DBIXS.h",
            "hook_op_check.h",
            "Admin.tbd",
            "AirPlayReceiver.tbd",
            "apfs_boot_mount.tbd",
            "AOSKit.tbd",
            "APConfigurationSystem.tbd",
            "AppleFirmwareUpdate.tbd",
            "launchdaemons.txt",
            "preboot_archive_errors.log",
            "mounts.txt",
            "launchagents.txt",
            "disk_structure.txt",
            "user_launchagents.txt",
            "security_status.txt",
            "kexts.txt",
            "process_list.txt",
            "battery.csv",
            "diskEncryption.csv",
            "chromeExtensions.csv",
            "crashes.csv",
            "interfaceAddrs.csv",
            "kernel.csv",
            "interfaceDetails.csv",
            "etcHosts.csv",
            "applications.csv",
            "mounts.csv",
            "sharedFolders.csv",
            "certificates.csv",
            "sharingPreferences.csv",
            "launchD.csv",
            "usbDevices.csv",
            "managedPolicies.csv",
            "systemInfo.csv",
            "users.csv",
            "sipConfig.csv",
            "systemControls.csv",
            "canonical",
            "aliases",
            "custom_header_checks",
            "access",
            "bounce.cf.default",
            "generic",
            "header_checks",
            "main.cf.default",
            "LICENSE",
            "makedefs.out",
            "main.cf",
            "master.cf.default",
            "main.cf.proto",
            "master.cf.proto",
            "master.cf",
            "TLS_LICENSE",
            "postfix-files",
            "transport",
            "virtual",
            "relocated",
            "afpovertcp.cfg",
            "asl.conf",
            "auto_home",
            "auto_master",
            "autofs.conf",
            "bashrc_Apple_Terminal",
            "com.apple.screensharing.agent.launchd",
            "bashrc",
            "command_args.json",
            "csh.cshrc",
            "csh.login",
            "find.codes",
            "csh.logout",
            "ftpusers",
            "gettytab",
            "irbrc",
            "kern_loader.conf",
            "group",
            "locate.rc",
            "man.conf",
            "mail.rc",
            "manpaths",
            "networks",
            "nfs.conf",
            "newsyslog.conf",
            "ntp_opendirectory.conf",
            "ntp.conf",
            "notify.conf",
            "paths",
            "pf.conf",
            "passwd",
            "profile",
            "pf.os",
            "protocols",
            "rc.netboot",
            "rc.common",
            "rmtab",
            "resolv.conf",
            "rtadvd.conf",
            "rpc",
            "shells",
            "smb.conf",
            "sudo_lecture",
            "ttys",
            "syslog.conf",
            "xtab",
            "sudoers",
            "zprofile",
            "zshrc",
            "zshrc_Apple_Terminal",
            "CodeResources",
            "version.plist",
            "Info.plist"
          ],
          "public": 1,
          "adversary": "DragonForce Malaysia Hacker Group",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Lastname",
              "display_name": "Lastname",
              "target": null
            },
            {
              "id": "Firstname",
              "display_name": "Firstname",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 66,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "ilyailya",
            "id": "298851",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 4449,
            "domain": 3847,
            "URL": 14263,
            "FileHash-SHA256": 2356,
            "FileHash-MD5": 223,
            "FileHash-SHA1": 523,
            "email": 223,
            "CVE": 40,
            "CIDR": 12,
            "SSLCertFingerprint": 302
          },
          "indicator_count": 26238,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 37,
          "modified_text": "385 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66b0fa3624bf0384e427f2e7",
          "name": "Tracking Domains 4.2 - 08.19.24",
          "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)",
          "modified": "2024-09-04T15:01:01.432000",
          "created": "2024-08-05T16:13:42.563000",
          "tags": [],
          "references": [
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
            "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
            "https://viz.greynoise.io/query/AS4611",
            "https://urlscan.io/asn/AS4611",
            "https://urlscan.io/search/#asn:%22AS4611%22",
            "https://urlscan.io/asn/AS45090",
            "https://urlscan.io/search/#asn%3A%22AS45090%22",
            "https://viz.greynoise.io/query/AS45090",
            "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
            "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
            "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
            "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 6180,
            "FileHash-MD5": 1,
            "domain": 24921,
            "URL": 10854
          },
          "indicator_count": 41956,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 140,
          "modified_text": "634 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b1f33258a8e26033b17",
          "name": "Tracking Domains - Part 4.1",
          "description": "More Tracking Domains",
          "modified": "2024-08-30T13:02:28.335000",
          "created": "2024-04-22T17:15:11.398000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
            "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 94496,
            "FileHash-MD5": 63,
            "domain": 112327,
            "URL": 166918,
            "FileHash-SHA1": 33,
            "FileHash-SHA256": 103,
            "CIDR": 216
          },
          "indicator_count": 374156,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "640 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b204ecfba63974dc1d8",
          "name": "Tracking Domains - Part 4",
          "description": "More Tracking Domains",
          "modified": "2024-05-22T17:04:45.215000",
          "created": "2024-04-22T17:15:12.353000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 792,
            "FileHash-MD5": 1,
            "domain": 5803,
            "URL": 2
          },
          "indicator_count": 6598,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 136,
          "modified_text": "739 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64ac688725adf28284e2efe9",
          "name": "\"No Problems\": Investigation of Distribution Vectors and Threat Network Infrastructure",
          "description": "Investigation of Distribution Vectors and Threat Network Infrastructure\n\nAn analysis of Malware Distribution and Threats stemming from an Internal Breach at the University of Alberta. Retrospective & 'In-Progress' tracking, identification, and characterization among affected individuals/organizations, services, and platforms.\n\nJust your average student looking for a solution to help identify or 'link together' some on-going issue(s) with a few things(? - [insert noun] ) and/or also fixing things & 'learning-on-the-fly' - which all definitely 'have everything to do with my education and skillset' [insert bitterness & sarcasm].\n\nApparently meeting the academic standards for implementing and enforcing a 'secure environment' and protecting students relies on: 1) The innovative approach of a 'remote Google-Meet teardown' of everything but your devices, data, or software issues and 2) The 'Holistic Model' of \"we don't do 'in-person' technical support\" because \"we are un-hackable\".",
          "modified": "2024-03-11T07:12:06.930000",
          "created": "2023-07-10T20:22:31.492000",
          "tags": [],
          "references": [
            "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
            "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
            "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
            "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Netherlands",
            "Mexico",
            "United States of America",
            "Aruba",
            "Panama",
            "Canada",
            "Anguilla"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Government",
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 75,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 467,
            "domain": 767,
            "hostname": 402,
            "URL": 142,
            "CVE": 1,
            "email": 1
          },
          "indicator_count": 1929,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 134,
          "modified_text": "812 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "657091100e9f5aa6eb534fb4",
          "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
          "description": "",
          "modified": "2023-12-06T15:19:44.839000",
          "created": "2023-12-06T15:19:44.839000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2410,
            "hostname": 3653,
            "domain": 2723,
            "URL": 442
          },
          "indicator_count": 9228,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "653f152513c2dcc0f4e3406e",
          "name": "Threat Network Root & Distribution Vectors Probe",
          "description": "",
          "modified": "2023-10-30T02:29:57.489000",
          "created": "2023-10-30T02:29:57.489000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "65133d6945641812c2ccc6ee",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "945 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "653f1524792f3064843d826f",
          "name": "Threat Network Root & Distribution Vectors Probe",
          "description": "",
          "modified": "2023-10-30T02:29:56.006000",
          "created": "2023-10-30T02:29:56.006000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "65133d6945641812c2ccc6ee",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "945 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65133d6945641812c2ccc6ee",
          "name": "Threat Network Root & Distribution Vectors Probe",
          "description": "",
          "modified": "2023-09-27T21:01:26.901000",
          "created": "2023-09-26T20:22:01.290000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "650fda65975555b2dabc023e",
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 234,
          "modified_text": "977 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "650fda65975555b2dabc023e",
          "name": "Threat Network Root  & Distribution Vectors Probe ( disabe_duck curated pulse) ",
          "description": "",
          "modified": "2023-09-27T21:01:26.901000",
          "created": "2023-09-24T06:42:45.462000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "64ed117e2308a042e50e1e9e",
          "export_count": 31,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "977 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64e6d1d8a39e9bf68a0eb83d",
          "name": "Threat Network Investigation ",
          "description": "",
          "modified": "2023-08-24T03:43:20.121000",
          "created": "2023-08-24T03:43:20.121000",
          "tags": [],
          "references": [
            "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
            "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
            "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
            "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Netherlands",
            "Mexico",
            "United States of America",
            "Aruba",
            "Panama",
            "Canada",
            "Anguilla"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Government",
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": "64ac688725adf28284e2efe9",
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 75,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 467,
            "domain": 762,
            "hostname": 269,
            "URL": 139
          },
          "indicator_count": 1786,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 220,
          "modified_text": "1012 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "62ef13ad6547ed183dba3f3c",
          "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
          "description": "see im reading that domain as bro ca project",
          "modified": "2022-08-07T01:21:49.761000",
          "created": "2022-08-07T01:21:49.761000",
          "tags": [
            "strong",
            "github",
            "jump",
            "github desktop",
            "sign",
            "iosrulescript",
            "quantumult",
            "boxjs",
            "chouchoui",
            "code issues",
            "contact",
            "star",
            "desktop",
            "stars",
            "footer",
            "view",
            "pull",
            "wiki security",
            "unicode",
            "copy",
            "wegare123vmt",
            "phoenix",
            "jquery",
            "discord",
            "ruby",
            "chinaz",
            "startpage"
          ],
          "references": [
            "geosite.dat.html",
            "https://github.com/blackmatrix7/ios_rule_script"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2410,
            "hostname": 3653,
            "URL": 442,
            "domain": 2723
          },
          "indicator_count": 9228,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 395,
          "modified_text": "1394 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
        "sharedFolders.csv",
        "header_checks",
        "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark",
        "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5",
        "group",
        "https://urlscan.io/search/#asn%3A%22AS45090%22",
        "relocated",
        "kernel.csv",
        "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs",
        "bashrc",
        "arm64e-apple-macos.swiftinterface",
        "MultipeerConnectivity.h",
        "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com",
        "Info.plist",
        "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "notify.conf",
        "Target was monitored in store and followed home needed to stop multiple times , change routes.",
        "launchagents.txt",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
        "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary",
        "csh.cshrc",
        "arm64e-apple-ios-macabi.swiftinterface",
        "TLS_LICENSE",
        "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
        "https://viz.greynoise.io/query/AS4611",
        "content-negotiation.html",
        "APConfigurationSystem.tbd",
        "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs",
        "users.csv",
        "aliases",
        "afpovertcp.cfg",
        "profile",
        "pf.os",
        "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark",
        "version.plist",
        "security_status.txt",
        "interfaceDetails.csv",
        "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
        "dbi_sql.h",
        "sipConfig.csv",
        "master.cf",
        "ntp_opendirectory.conf",
        "custom-error.html",
        "postfix-files",
        "makedefs.out",
        "resolv.conf",
        "master.cf.proto",
        "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
        "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs",
        "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "csh.login",
        "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
        "https://prometheus-pushgateway-internal.preview.tp-staging.com/",
        "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com",
        "main.cf.default",
        "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a",
        "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
        "MCSession.h",
        "etcHosts.csv",
        "sharingPreferences.csv",
        "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f",
        "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs",
        "prometheus.netmaker.vonnue.dev",
        "prometheus.dev.aws.finoa.io",
        "MCAdvertiserAssistant.h",
        "Driver_xst.h",
        "irbrc",
        "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com",
        "https://viz.greynoise.io/query/AS45090",
        "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
        "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light",
        "networks",
        "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark",
        "find.codes",
        "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA",
        "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs",
        "Prometheus - Alien God? Morality through the eyes of the immoral",
        "https://urlscan.io/asn/AS45090",
        "computersandsoftware \u2022 portal sites \u2022 search engines and portals",
        "dbixs_rev.h",
        "nfs.conf",
        "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "sudoers",
        "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f",
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE",
        "ldap.h",
        "configuring.html",
        "AOSKit.tbd",
        "bounce.cf.default",
        "kern_loader.conf",
        "paths",
        "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..",
        "autofs.conf",
        "It\u2019s so out of hand,m for 16 people.",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
        "Location search was used to find device users address. It\u2019s with me.",
        "module.modulemap",
        "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2",
        "pf.conf",
        "MCNearbyServiceAdvertiser.h",
        "systemControls.csv",
        "mail.rc",
        "rpc",
        "shells",
        "zshrc_Apple_Terminal",
        "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984",
        "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
        "Malicious activity seen since a Pulse regarding school outage.",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
        "auto_home",
        "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
        "manpaths",
        "swarm-foundry.com",
        "newsyslog.conf",
        "MCBrowserViewController.h",
        "csh.logout",
        "battery.csv",
        "Admin.tbd",
        "index.html.en",
        "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark",
        "rtadvd.conf",
        "launchD.csv",
        "protocols",
        "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com",
        "com.apple.screensharing.agent.launchd",
        "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
        "Many indicators point to an IP this block is on.",
        "zshrc",
        "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark",
        "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
        "server-3-164-143-102.nrt20.r.cloudfront.net",
        "asl.conf",
        "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327",
        "dbd_xsh.h",
        "xtab",
        "sudo_lecture",
        "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs",
        "https://ww41.porn25.com/",
        "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be",
        "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551",
        "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
        "AppleFirmwareUpdate.tbd",
        "passwd",
        "process_list.txt",
        "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5",
        "convenience.map",
        "ocn.ad.jp - Registrant Org: NTT Communications Corporation",
        "Attempts to clip target at high rate of speed.Seen again at her residence in October",
        "x86_64-apple-ios-macabi.swiftinterface",
        "Delete service is being used on this Threat service",
        "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact",
        "apfs_boot_mount.tbd",
        "Most of the people doing this are  50\u2019s plus, plus. There are youngsters but many grey haired , grandparents",
        "ftpusers",
        "https://urlscan.io/asn/AS4611",
        "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d",
        "gettytab",
        "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]",
        "https://discussions.apple.com/thread/255214328?sortBy=rank",
        "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary",
        "generic",
        "master.cf.default",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
        "geosite.dat.html",
        "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
        "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators",
        "mounts.csv",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
        "bashrc_Apple_Terminal",
        "LocalAuthentication.tbd",
        "auto_master",
        "dbivport.h",
        "ntp.conf",
        "rc.netboot",
        "diskEncryption.csv",
        "syslog.conf",
        "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com",
        "MCNearbyServiceBrowser.h",
        "https://github.com/blackmatrix7/ios_rule_script",
        "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark",
        "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac",
        "LICENSE",
        "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs",
        "The older the smarter the way better. These people are brilliant , ruthless and dangerous",
        "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c",
        "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c",
        "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA",
        "Multiple attackers. Don\u2019t believe me, look at the pulses.  Caged in by male with deauther watch.",
        "BUILDING",
        "CodeResources",
        "x86_64-apple-macos.swiftinterface",
        "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
        "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org  Domain kinkfuck.com \u2022 nobodycares.art",
        "crashes.csv",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602",
        "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042",
        "applications.csv",
        "DBIXS.h",
        "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80",
        "MultipeerConnectivity.apinotes",
        "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
        "LDAP.tbd",
        "interfaceAddrs.csv",
        "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God.",
        "Page Title:  \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN",
        "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
        "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53",
        "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs",
        "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark",
        "Device targeted with l RMS Modules by male in Denver, Co",
        "MultipeerConnectivity.tbd",
        "managedPolicies.csv",
        "access",
        "main.cf",
        "main.cf.proto",
        "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886",
        "If something curious is found on privatelybowen property we have a constitutional  right to examine it.",
        "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
        "transport",
        "user_launchagents.txt",
        "https://urlscan.io/search/#asn:%22AS4611%22",
        "man.conf",
        "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2",
        "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9",
        "virtual",
        "AirPlayReceiver.tbd",
        "systemInfo.csv",
        "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.",
        "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp",
        "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark",
        "preboot_archive_errors.log",
        "mounts.txt",
        "disk_structure.txt",
        "smb.conf",
        "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am",
        "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076",
        "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
        "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8",
        "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500",
        "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7",
        "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp",
        "kexts.txt",
        "command_args.json",
        "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188",
        "certificates.csv",
        "caching.html",
        "locate.rc",
        "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
        "MCError.h",
        "MCPeerID.h",
        "chromeExtensions.csv",
        "Nippon Telegraph and Telephone Corporation one governmental now privated",
        "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
        "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7",
        "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b",
        "usbDevices.csv",
        "zprofile",
        "Other constitutional rights and privileges written in law where severe courses of action is allowed",
        "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary",
        "launchdaemons.txt",
        "rmtab",
        "custom_header_checks",
        "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
        "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
        "canonical",
        "ttys",
        "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "bind.html",
        "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
        "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
        "lber.h",
        "rc.common",
        "hook_op_check.h"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "DragonForce Malaysia Hacker Group",
            "Unknown APT Group(s) / Threat Actor (s)"
          ],
          "malware_families": [
            "Lastname",
            "Firstname"
          ],
          "industries": [
            "Education",
            "Healthcare",
            "Technology",
            "Government",
            "Telecommunications"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 17,
  "pulses": [
    {
      "id": "69ca5d583057aaefed16789a",
      "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
      "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
      "modified": "2026-04-29T11:26:13.615000",
      "created": "2026-03-30T11:24:08.053000",
      "tags": [
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "file type",
        "default",
        "sha256",
        "sha1",
        "data",
        "info",
        "accept",
        "win64",
        "damage",
        "openssl",
        "shutdown",
        "direct",
        "explorer",
        "title",
        "payload",
        "rdap",
        "ip version",
        "address range",
        "cidr",
        "network name",
        "allocation type",
        "whois server",
        "entity sg679",
        "handle",
        "stealc config",
        "cncs http"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 351,
        "URL": 392,
        "FileHash-MD5": 149,
        "FileHash-SHA1": 168,
        "FileHash-SHA256": 197,
        "email": 12,
        "hostname": 68,
        "CIDR": 4
      },
      "indicator_count": 1341,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "33 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "695089cbedad5c86f39b1363",
      "name": "Tracking Domains 03.03.26 (Updated Test)",
      "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.",
      "modified": "2026-04-05T06:35:43.679000",
      "created": "2025-12-28T01:37:15.993000",
      "tags": [
        "privacy badger",
        "sites general",
        "settings widget",
        "domains manage",
        "data privacy",
        "badger",
        "hide"
      ],
      "references": [
        "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
        "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
        "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
        "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America",
        "Netherlands"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Healthcare",
        "Government",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 50404,
        "hostname": 10879,
        "URL": 715,
        "FileHash-MD5": 1
      },
      "indicator_count": 61999,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 132,
      "modified_text": "57 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6958372ef9da31513d96bebb",
      "name": "Connected-IOS remotely connected to 180.4.1.2 \u2022  ocn.ad.jp -NTT Communications Corporation",
      "description": "Retaliation? IOS remotely connected to 180.4.1.2 \u2022  ocn.ad.jp -NTT Communications Corporation for malicious control | found in the analytics of a highly target device: I\u2019ve included related pulses from 2 other threat responders and an Apple discussion post. Surprisingly, most of the IoC\u2019s pulsed came from one page of analytics. | \u2022 \"avconferenced\", \"procPath\" : \"\\/usr\\/libexec\\/avconferenced |  180.4.1.2 | a version of\npegasus found. | https://prometheus-pushgateway-internal.preview.tp-staging.com/\t\nhostname: prometheus.netmaker.vonnue.dev\t\nhostname: prometheus.dev.aws.finoa.io |\nSince Prometheus pulse . I realize now every Prometheus pulse illicits outrageous behavior.. Is this a secret society? Try to be more secretive. Owl heads in lawn. This behavior illicits investigation for a fix. Please STOP. I\u2019m done looking at Prometheus. Please stop leaving artifacts.",
      "modified": "2026-02-01T20:00:08.812000",
      "created": "2026-01-02T21:22:54.247000",
      "tags": [
        "syscall",
        "nsrunloop",
        "objcclass",
        "region type",
        "start",
        "vsize",
        "prtmax shrmod",
        "region detailn",
        "unused space",
        "at startn",
        "guard",
        "urls",
        "url analysis",
        "verdict",
        "domain",
        "address",
        "location japan",
        "hikone",
        "japan asn",
        "as4713 ntt",
        "related tags",
        "none external",
        "aaaa",
        "united",
        "passive dns",
        "ip address",
        "japan",
        "present dec",
        "domain add",
        "files",
        "japan unknown",
        "present jul",
        "present oct",
        "present sep",
        "present aug",
        "present jun",
        "japan showing",
        "urls show",
        "date checked",
        "url hostname",
        "server response",
        "google safe",
        "reverse dns",
        "present nov",
        "present",
        "present may",
        "present mar",
        "present apr",
        "data upload",
        "extraction",
        "failed",
        "files ip",
        "moved",
        "gmt content",
        "ipv4 add",
        "location united",
        "title",
        "ipv4",
        "dns resolutions",
        "hostname add",
        "asn as4713",
        "all ipv4",
        "google",
        "ocn ntt",
        "googlecl",
        "http",
        "amazon02",
        "akamaias",
        "page url",
        "yahoojp",
        "december",
        "jp summary",
        "february",
        "asn15169",
        "tokyo",
        "kansas city",
        "asn396982",
        "asn30286",
        "asn16509",
        "cisco",
        "umbrella rank",
        "cisco umbrella",
        "rank",
        "kitashinagawa",
        "sureserver ev",
        "ca g3",
        "domains",
        "hashes",
        "microsoft",
        "docomo business",
        "ml14325",
        "as autonomous",
        "asn8075",
        "ip information",
        "ipasns ip",
        "detail domain",
        "domain tree",
        "links domain",
        "requested",
        "value",
        "automatic",
        "webgl",
        "please",
        "mr value",
        "muid value",
        "mjl function",
        "dcmlinker",
        "paq string",
        "kb script",
        "b image",
        "b script",
        "frame a344",
        "redirect chain",
        "kb document",
        "frame",
        "b xhr",
        "kb image",
        "fetch collect",
        "request chain",
        "redirected",
        "http redirect",
        "name servers",
        "redacted for",
        "servers",
        "unknown aaaa",
        "search",
        "for privacy",
        "domeny serwery",
        "verdana tahoma",
        "arial",
        "gmt contenttype",
        "meta",
        "small",
        "results jan",
        "present jan",
        "status",
        "record value",
        "windir",
        "openurl c",
        "prefetch2",
        "analysis",
        "tor analysis",
        "process details",
        "flag",
        "japan japan",
        "pattern match",
        "ascii text",
        "mitre att",
        "ck id",
        "null",
        "refresh",
        "span",
        "hybrid",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "learn",
        "name tactics",
        "suspicious",
        "informative",
        "adversaries",
        "spawns",
        "command",
        "found",
        "defense evasion",
        "monitored target",
        "pulse submit",
        "wikipedia",
        "imap",
        "smtp",
        "ocn open",
        "discussion",
        "stub",
        "jprs database",
        "ocnnttocn",
        "maintenance",
        "outages notice",
        "lock status",
        "state",
        "connected",
        "organization",
        "type",
        "name",
        "server",
        "name server",
        "connected date",
        "algorithm",
        "key identifier",
        "data",
        "v3 serial",
        "number",
        "cjp ocybertrust",
        "ev ca",
        "g3 validity",
        "ku ontt",
        "docomo",
        "record type",
        "ttl value",
        "thumbprint",
        "emails",
        "date",
        "trojan",
        "pegasus",
        "title error",
        "hostname",
        "pulse pulses",
        "entries",
        "mtb apr",
        "lowfi",
        "win32",
        "a domains",
        "body",
        "worm",
        "virtool",
        "cybota",
        "showing",
        "palantir",
        "prometheus"
      ],
      "references": [
        "ocn.ne.jp \u2022 180.4.1.2 \u2022 gateway1.ocn.ad.jp",
        "login.ocn.ne.jp 122.28.88.229 \u2022 outpost@alpha.ocn.ne.jp",
        "ocn.ad.jp - Registrant Org: NTT Communications Corporation",
        "Page Title:  \u30ed\u30b0\u30a4\u30f3 | OCN\u30e1\u30fc\u30eb | OCN",
        "Nippon Telegraph and Telephone Corporation one governmental now privated",
        "computersandsoftware \u2022 portal sites \u2022 search engines and portals",
        "(Found on targeted iOS device) mr-file-connector-193.api.auxosandbox.com",
        "Guardicore by CyberHunterAutoFeed \u2022 https://otx.alienvault.com/pulse/655d47fb128a006a7d06afa2",
        "Japanese Phishing Site by pingineer \u2022 https://otx.alienvault.com/pulse/61d3b380c44ee030dd092a80",
        "https://discussions.apple.com/thread/255214328?sortBy=rank",
        "https://urlscan.io/result/98a3575f-9b94-4ef3-ae84-8e585f882151/#indicators",
        "Interesting (found in pulse) https://www.studentfinancewales.co.uk/contact",
        "kalpak.palantirfedstart.com \u2022 lsauth-vault.palantirfedstart.com \u2022 sandboxes-ranunculus.palantirfedstart.com",
        "swarm-foundry.com",
        "When you see silly related domains it\u2019s probably Palantir kids: fuckingshitshow.org  Domain kinkfuck.com \u2022 nobodycares.art",
        "heavy-r.com \u2022 fartyphant.com \u2022 uglyphant.com \u2022 maciej.sztajerwald@gmail.com",
        "https://hybrid-analysis.com/sample/6af451b8e64c3f8abafc84e776fe6c257888e0875b2d22c75b23b13960f46567/69580966ed3458719b0f0ed5",
        "server-3-164-143-102.nrt20.r.cloudfront.net",
        "ec2-3-115-135-167.ap-northeast-1.compute.amazonaws.com",
        "ec2-57-181-50-85.ap-northeast-1.compute.amazonaws.com",
        "https://ww41.porn25.com/",
        "https://otx.alienvault.com/indicator/url/https://t.notif-laposte.info/TrackActions/NGJlYjE5NjZhZDlkODU0NzE3Yzg3Zjk3ODJkMmMxZWRjMTlkODAxZmEyMjY5YjU5YjY1MGU1OWFmZTdhMDlhMmM2YjY3ZTBiYzYwNWUwODdmMzkzZDc5ZjAwNDViODM1OGU5MTA0M2IzMjRmOGQwNTgxZGZjMmUyODFlZDI3MDYzZTQzNzg4NGVkMWJmMDgwMzM0NTA5OGRmY2M0NTVjZA",
        "If something curious is found on privatelybowen property we have a constitutional  right to examine it.",
        "Other constitutional rights and privileges written in law where severe courses of action is allowed",
        "iOS device, Update 26.2 , heavily monitored target of death threats, attempts & unfortunate outcome..",
        "Device targeted with l RMS Modules by male in Denver, Co",
        "Attempts to clip target at high rate of speed.Seen again at her residence in October",
        "Target was monitored in store and followed home needed to stop multiple times , change routes.",
        "Multiple attackers. Don\u2019t believe me, look at the pulses.  Caged in by male with deauther watch.",
        "Most of the people doing this are  50\u2019s plus, plus. There are youngsters but many grey haired , grandparents",
        "The older the smarter the way better. These people are brilliant , ruthless and dangerous",
        "Phone recently accessed, a tiny unauthorized speaker was on. Threat actors connected.",
        "Malicious activity seen since a Pulse regarding school outage.",
        "Location search was used to find device users address. It\u2019s with me.",
        "Delete service is being used on this Threat service",
        "Many indicators point to an IP this block is on.",
        "It\u2019s so out of hand,m for 16 people.",
        "https://prometheus-pushgateway-internal.preview.tp-staging.com/",
        "prometheus.netmaker.vonnue.dev",
        "prometheus.dev.aws.finoa.io",
        "Prometheus - Alien God? Morality through the eyes of the immoral",
        "Prometheus- allegedly related to Peter Thiel , Elon Musk and tech bro Joes who are playing God."
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 2879,
        "domain": 1372,
        "URL": 5788,
        "FileHash-SHA256": 1720,
        "CVE": 1,
        "FileHash-MD5": 238,
        "FileHash-SHA1": 241,
        "email": 13
      },
      "indicator_count": 12252,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "119 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "64ed117e2308a042e50e1e9e",
      "name": "Investigation of Distribution Vectors and Threat Network Infrastructure",
      "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.",
      "modified": "2025-11-23T23:20:07.571000",
      "created": "2023-08-28T21:28:30.294000",
      "tags": [
        "Domains",
        "ip addresses",
        "URLs",
        "Files",
        "Alberta Health Services",
        "BEC",
        "Education",
        "University of Alberta",
        "Government of Alberta",
        "Covenant Health Alberta",
        "Telus Communications",
        "Canadian Universities",
        "Malicious Certificates",
        "Digital Identity Theft / Credential Theft"
      ],
      "references": [
        "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
        "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
        "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
        "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
        "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
        "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
        "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
        "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
        "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
        "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
        "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary",
        "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac",
        "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a",
        "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d",
        "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary",
        "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2",
        "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327",
        "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042",
        "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984",
        "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5",
        "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53",
        "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7",
        "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8",
        "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500",
        "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary",
        "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9",
        "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs",
        "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
        "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b",
        "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7",
        "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c",
        "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188",
        "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f",
        "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark",
        "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light",
        "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark",
        "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs",
        "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076",
        "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs",
        "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c",
        "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs",
        "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark",
        "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f",
        "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs",
        "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark",
        "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark",
        "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark",
        "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark",
        "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark",
        "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886",
        "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs",
        "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs",
        "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs",
        "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]"
      ],
      "public": 1,
      "adversary": "Unknown APT Group(s) / Threat Actor (s)",
      "targeted_countries": [
        "Canada",
        "United States of America",
        "Philippines",
        "Panama",
        "Netherlands",
        "Anguilla",
        "Saint Vincent and the Grenadines",
        "Aruba",
        "Mexico",
        "Guatemala",
        "Costa Rica",
        "Tanzania, United Republic of"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Healthcare",
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 111,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 236,
        "FileHash-SHA1": 139,
        "FileHash-SHA256": 1421,
        "URL": 9580,
        "CIDR": 30,
        "domain": 10205,
        "email": 12,
        "hostname": 517612,
        "IPv4": 11,
        "CVE": 62
      },
      "indicator_count": 539308,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 146,
      "modified_text": "189 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "691b61e16cea7624a6606a69",
      "name": "For Later",
      "description": "***",
      "modified": "2025-11-17T18:46:19.094000",
      "created": "2025-11-17T17:56:49.875000",
      "tags": [
        "wormhole",
        "want",
        "sign",
        "submit send",
        "copy",
        "share show",
        "report delete",
        "faq roadmap",
        "security legal",
        "twitter discord",
        "protected"
      ],
      "references": [
        "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 4,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 72127,
        "hostname": 16700,
        "URL": 50
      },
      "indicator_count": 88877,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 131,
      "modified_text": "195 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": false,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "67f5555b6ce863d998e83e26",
      "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net",
      "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-<UUID>.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.",
      "modified": "2025-05-11T19:03:59.885000",
      "created": "2025-04-08T16:56:59.641000",
      "tags": [
        "generated from",
        "do not",
        "edit uri",
        "urls",
        "edit",
        "rewriteengine",
        "rewritecond",
        "rewriterule",
        "r301",
        "xml2encalias",
        "beralloct",
        "berbvarrayadd",
        "berbvarrayfree",
        "berbvdup",
        "berbvecadd",
        "berbvecfree",
        "berbvfree",
        "berdump",
        "berdup",
        "berdupbv",
        "laerrordomain",
        "laerrornoncekey",
        "lamechanismtree",
        "lacontext",
        "ladomainstate",
        "laenvironment",
        "lanotification",
        "laprivatekey",
        "lapublickey",
        "laright",
        "apple swift",
        "o librarylevel",
        "combine import",
        "foundation",
        "swift import",
        "mcpeerid",
        "mcsession",
        "property",
        "copyright",
        "protocol",
        "class",
        "bonjour",
        "ascii lowercase",
        "abc company",
        "section",
        "bonjour txt",
        "note",
        "ui element",
        "utf8 encoding",
        "nscopying",
        "nsdictionary",
        "nsstring",
        "mcextern",
        "attribute",
        "mcextern extern",
        "mcexternweak",
        "nsenum",
        "nsinteger",
        "mcerrorcode",
        "mcerrorunknown",
        "mcerrortimedout",
        "peer",
        "example",
        "bonjour apis",
        "stop",
        "tags",
        "session",
        "nsprogress",
        "nserror",
        "nsurl",
        "nsarray",
        "create",
        "nsuinteger",
        "notifies",
        "mcsession api",
        "interface",
        "dbictrace",
        "dbivporth",
        "dbictracelevel",
        "dbdtffoo",
        "dbihseterrchar",
        "dbicstate",
        "dbictraceflags",
        "provides macros",
        "dbi release",
        "only",
        "sqlsuccess",
        "odbc",
        "sqlok",
        "tim bunce",
        "england",
        "sql cli",
        "sql datatype",
        "sqlguid",
        "sqlwlongvarchar",
        "main",
        "beware",
        "sv sth",
        "sv dbh",
        "impsth",
        "impdbh",
        "sv keysv",
        "sv params",
        "sv attr",
        "sv attribs",
        "sv drh",
        "void",
        "fri jul",
        "mixed",
        "dbixsrevision",
        "plsvundef",
        "license",
        "spagain",
        "perlioprintf",
        "dbiclogpio",
        "putback",
        "ireland",
        "gnu general",
        "super",
        "magic",
        "dbicflags",
        "dbis",
        "svrv",
        "null",
        "imp2com",
        "dbicactivekids",
        "dbicfiadestroy",
        "sv h",
        "dbicdbistate",
        "code",
        "copy",
        "refer",
        "trace",
        "error",
        "unknown",
        "hookopcheckh",
        "startexternc",
        "hookopcheckcb",
        "userdata",
        "endexternc",
        "isinternalbuild",
        "kickmcxdforuid",
        "loadappkit",
        "ardconfig",
        "authenticator",
        "dsauthenticator",
        "dsnode",
        "dsrecord",
        "group",
        "hostconfig",
        "apfsvolumelock",
        "apfsvolumerole",
        "aoskgetosinfo",
        "aoskgetuserinfo",
        "aosaddappleid",
        "aosdisablepcs",
        "aosenablepcs",
        "aoslog",
        "aoslogforce",
        "aosrelaycookie",
        "didfailcallback",
        "kaosaccountkey",
        "kapcsbundle",
        "kapcspath",
        "kjsonextension",
        "apcsbucketid",
        "apcsreports",
        "apconfiguration",
        "apversiondata",
        "apversionhelper",
        "systemvolumesvm",
        "name size",
        "identifier",
        "gb disk0s3",
        "devdisk3",
        "apfs container",
        "scheme",
        "physical store",
        "macintosh hd",
        "apfs snapshot",
        "preboot",
        "refs address",
        "size wired",
        "name",
        "version",
        "uuid",
        "linked against",
        "renderer",
        "helper",
        "chrome helper",
        "contains",
        "cloud ui",
        "macintosh",
        "khtml",
        "gecko",
        "ui helper",
        "plugin",
        "service",
        "good",
        "battery power",
        "apfs encryption",
        "jumpcloud go",
        "chrome web",
        "store",
        "privacy badger",
        "flowcrypt",
        "encrypt gmail",
        "simple",
        "google",
        "b2b phone",
        "number",
        "apollo",
        "future",
        "exccrash",
        "sigkill",
        "code signature",
        "invalid",
        "sigabrt",
        "protonvpn",
        "excguard",
        "excbreakpoint",
        "sigtrap",
        "excbadaccess",
        "appl",
        "english",
        "adobe crash",
        "adobe",
        "acrobat dcadobe",
        "processor",
        "uninstaller",
        "assistant",
        "install",
        "cloud",
        "dock",
        "calendar",
        "music",
        "terminal",
        "tips",
        "installer",
        "updater",
        "proton",
        "tools",
        "stub",
        "python",
        "clock",
        "powershell",
        "team",
        "rave scout",
        "cookies",
        "public folder",
        "key cert",
        "sign",
        "crl sign",
        "root ca",
        "authority",
        "public primary",
        "global root",
        "verisign",
        "academic",
        "premium",
        "adaptive",
        "interactive",
        "background",
        "standard",
        "launchd sandbox",
        "s mdworker",
        "agent",
        "command line",
        "progress",
        "yubico",
        "macos13action",
        "disableoverride",
        "disableairdrop",
        "denyactivation",
        "enable",
        "loginwindowtext",
        "jumpcloud",
        "autoupdate",
        "loggingoption",
        "enablefirewall",
        "arm64e",
        "apple m2",
        "mac142",
        "kjqqtw7pqt",
        "daemon",
        "server",
        "open directory",
        "user",
        "account",
        "kerberos admin",
        "kerberos change",
        "device daemon",
        "network",
        "desktop",
        "screensaver",
        "bridge",
        "aesxtsarm",
        "aesecbarm",
        "sha512vngarmhw",
        "sha384vngarmhw",
        "sha256vngarm",
        "sha1vngarm",
        "darwin kernel",
        "wed mar",
        "wkarraycreate",
        "wkbooleancreate",
        "wkcontextcreate",
        "wkdatacreate",
        "wkdatagettypeid",
        "wkdoublecreate",
        "wkframecopyurl",
        "wkgettypeid",
        "wkimagecreate",
        "wkpagecandelete",
        "webview",
        "notice",
        "this software",
        "including",
        "but not",
        "limited to",
        "redistribution",
        "is provided",
        "by apple",
        "direct",
        "damage",
        "apiavailable",
        "webkit",
        "nsswiftname",
        "document",
        "a block",
        "as is",
        "hasinclude",
        "wkdownload",
        "abstract",
        "wkerrorcode",
        "wkerrorunknown",
        "discussion",
        "bool",
        "whether",
        "wkcontentworld",
        "wkwebview",
        "javascript",
        "nsunavailable",
        "vaargs",
        "nsswiftasync",
        "wkswiftasync",
        "wkcookiepolicy",
        "wkswiftuiactor",
        "nshttpcookie",
        "targetosiphone",
        "wknavigation",
        "decides",
        "boolean value",
        "apideprecated",
        "methodkind",
        "wkerrordomain",
        "wkscriptmessage",
        "promise",
        "fulfill",
        "const",
        "url scheme",
        "mark",
        "wkuserscript",
        "targetosvision",
        "param",
        "wkframeinfo",
        "targetosios",
        "pass",
        "window",
        "mime type",
        "link",
        "nsimage",
        "returns",
        "nsset",
        "checks",
        "matches",
        "a boolean",
        "defaults",
        "wkwebextension",
        "cgsize",
        "uiimage",
        "apis",
        "nsdate",
        "wkcontentmode",
        "wkextern",
        "possible",
        "cgfloat",
        "media",
        "cgrect",
        "apiunavailable",
        "framework",
        "nsswiftuiactor",
        "targetoswatch",
        "confirms",
        "apple upgrade",
        "nsstring user",
        "nsobject",
        "provider",
        "apple",
        "password",
        "uicontrol",
        "nscontrol",
        "asuseragerange",
        "check",
        "opaque user",
        "apple id",
        "initiate",
        "asauthorization",
        "operation",
        "state",
        "nserrorenum",
        "nsdata",
        "relying party",
        "asapiavailable",
        "perform",
        "realm",
        "http response",
        "authorization",
        "http",
        "oauth",
        "saml",
        "a byte",
        "nsdata userid",
        "relying",
        "a string",
        "nsdata readdata",
        "bool didwrite",
        "a cose",
        "nsdata first",
        "nsdata second",
        "nsstring name",
        "bool appid",
        "targetosxr",
        "nsstring appid",
        "bluetooth",
        "mdm profile",
        "nsurl url",
        "returns yes",
        "a state",
        "a json",
        "web token",
        "private seckeys",
        "enables",
        "keychain",
        "asswiftsendable",
        "cose algorithm",
        "ecdsa",
        "sha256",
        "cose curve",
        "p256",
        "nullable",
        "bool success",
        "remove",
        "call",
        "complete",
        "initializes",
        "time code",
        "extensions",
        "asextern extern",
        "asextern",
        "nsswiftsendable",
        "prepare",
        "list",
        "nsextension",
        "attempt",
        "nsstring label",
        "creates",
        "nsstring code",
        "a key",
        "webauthn",
        "nssecurecoding",
        "input",
        "output",
        "initialize",
        "nsinteger rank",
        "json",
        "inputs",
        "hash",
        "nsstring origin",
        "settings app",
        "extension",
        "https urls",
        "safari",
        "cancel",
        "nsuuid uuid",
        "r uftpexu",
        "nsmutabledata",
        "vnsdate",
        "mprcjy",
        "postfix",
        "domain",
        "canonical",
        "tables",
        "ldap",
        "post",
        "replace user",
        "address",
        "wietse venema",
        "bugs",
        "mail",
        "aliases",
        "postfix version",
        "restrict",
        "sample",
        "person",
        "basic system",
        "general",
        "reject empty",
        "postfix smtp",
        "ipv6 host",
        "reject",
        "reply",
        "access",
        "prior",
        "hold",
        "info",
        "mail delivery",
        "charset",
        "system",
        "report",
        "postfix dsn",
        "mail returned",
        "this",
        "generic",
        "smtp",
        "isp mail",
        "mime",
        "headerchecks",
        "readme files",
        "filters while",
        "posix",
        "empty",
        "body",
        "write",
        "date",
        "smtp server",
        "specify",
        "mx host",
        "unix password",
        "user unknown",
        "pathbin",
        "postfix queue",
        "unix",
        "cyrus",
        "path",
        "uucp",
        "shell",
        "local",
        "program",
        "agreement",
        "contributor",
        "recipient",
        "contribution",
        "the program",
        "corporation",
        "contributors",
        "product x",
        "as expressly",
        "arch",
        "arch x8664",
        "pipe wall",
        "wimplicit",
        "ranlib",
        "warn",
        "switch",
        "start",
        "systype",
        "outlook",
        "postfix master",
        "begin",
        "server admin",
        "mail backend",
        "modern smtp",
        "iana",
        "many",
        "postfix pipe",
        "recent cyrus",
        "amos gouaux",
        "old example",
        "or even",
        "lutz jaenicke",
        "technology",
        "cottbus",
        "germany",
        "openssl package",
        "openssl project",
        "europe",
        "remember that",
        "use of",
        "file",
        "update",
        "usrsbin",
        "file format",
        "no group",
        "daemondirectory",
        "deliver mail",
        "transport",
        "description",
        "result format",
        "virtual",
        "virtual alias",
        "redirect mail",
        "relocated",
        "matches user",
        "synopsis",
        "lastname",
        "firstname",
        "apple computer",
        "tcpip",
        "supported",
        "quantum",
        "facility",
        "level",
        "level info",
        "broadcast",
        "ignore",
        "rules",
        "sender",
        "automounter map",
        "use directory",
        "get home",
        "home autohome",
        "true",
        "t option",
        "mount",
        "force",
        "environment",
        "automountdenv",
        "promptcommand",
        "shellsessiondir",
        "histfile",
        "histfilesize",
        "myvar",
        "histtimeformat",
        "arrange",
        "bashrematch",
        "tell",
        "ps1h",
        "make bash",
        "s checkwinsize",
        "etcbashrc",
        "termprogram",
        "inpck",
        "nnnbaud",
        "berkeley",
        "parity",
        "pc entry",
        "pass8",
        "parenb istrip",
        "fixed speed",
        "entry",
        "clocal mode",
        "maxhistsize",
        "promptmode",
        "verbose end",
        "etcirbrcloaded",
        "default",
        "setup",
        "history file",
        "kernel",
        "readline",
        "jabber",
        "group database",
        "dovecot",
        "postfix scsd",
        "networkd",
        "searchpaths",
        "freebsd",
        "tmpdir",
        "fcodes",
        "prunepaths",
        "vartmp",
        "prunedirs",
        "filesystems",
        "nroff",
        "manpath",
        "uncomment",
        "manpager",
        "whatispager",
        "manlocale",
        "every",
        "manpath optman",
        "maybe",
        "troff",
        "status mailfrom",
        "returnpath via",
        "pidfile",
        "flags",
        "bcgjnuwz",
        "bin usrsbin",
        "sbin",
        "default pf",
        "care",
        "audio",
        "user database",
        "unix copy",
        "gate daemon",
        "bashno",
        "r etcbashrc",
        "rfc1323",
        "m1460",
        "macos x",
        "signature",
        "linux",
        "opera",
        "xp sp1",
        "windows sp1",
        "nmap syn",
        "m265",
        "synack",
        "mind",
        "macos",
        "warp",
        "ipv6",
        "internet",
        "icmp",
        "cisco",
        "monitoring",
        "argus",
        "chaos",
        "rsvp",
        "encapsulation",
        "aris",
        "isis",
        "netbootmount",
        "netbootshadow",
        "computername",
        "localonly",
        "localnetbootdir",
        "netboot",
        "define",
        "purpose",
        "networkonly",
        "waiting",
        "networkup",
        "term",
        "devnull",
        "common setup",
        "configure",
        "set command",
        "dns hostname",
        "dns query",
        "see also",
        "kame",
        "sunnet manager",
        "rpcsrc",
        "netlicense",
        "ftpd",
        "bindash binksh",
        "binsh bintcsh",
        "jumpcloud ldap",
        "smb2",
        "security",
        "workgroup",
        "standalone",
        "samba server",
        "enforce",
        "smb3",
        "example share",
        "improper use",
        "ctrlc",
        "none",
        "fax reception",
        "hardwired",
        "0007",
        "must",
        "visudo",
        "blocksize",
        "charset lang",
        "language lcall",
        "lines columns",
        "lscolors",
        "sshauthsock",
        "orion",
        "setup user",
        "home",
        "zdotdir",
        "delete",
        "beep",
        "vendor",
        "kf10",
        "kf11",
        "kf12",
        "kf13",
        "backspace",
        "insert",
        "resume",
        "termsessionid",
        "savehist",
        "sharehistory",
        "h do",
        "volume",
        "de l",
        "l uuid",
        "m tra",
        "n est",
        "suuid",
        "prfen",
        "fusion",
        "syst",
        "look",
        "executant",
        "alla",
        "over",
        "test",
        "overie",
        "zapis",
        "rapid",
        "disco usa",
        "de macos",
        "nie s",
        "i denne",
        "adgjmpsvx",
        "diskgthis disk",
        "01k8x j",
        "34disk",
        "levy kytt",
        "dict",
        "array",
        "plist",
        "apple root",
        "code signing",
        "inode64r",
        "xofkoxzh",
        "integer",
        "doctype",
        "brain",
        "abcd",
        "ogwo",
        "boaw",
        "cobwa",
        "uhawavauatsh",
        "ip bitmap",
        "foewdc",
        "could",
        "ip block",
        "funcs",
        "cogwo",
        "trash",
        "double",
        "hunt",
        "affa",
        "carr",
        "crypto",
        "docwbac",
        "q1b0",
        "q1 0",
        "h h5",
        "docwbag",
        "slice",
        "format",
        "zero",
        "alfa",
        "hera",
        "lelei",
        "hehe",
        "hisp",
        "fail",
        "katy",
        "zakk",
        "eodwcbgao",
        "hhk8di",
        "alma",
        "topo",
        "open",
        "huhk",
        "piper",
        "hehx",
        "eh ui",
        "h20hph",
        "hif h",
        "hmhhihqhyla hq",
        "r11b0",
        "target",
        "uus10u",
        "hifh",
        "loghookfailed",
        "loghook",
        "hell",
        "q1b 0",
        "f duh",
        "aqw1",
        "1160"
      ],
      "references": [
        "index.html.en",
        "bind.html",
        "caching.html",
        "BUILDING",
        "configuring.html",
        "content-negotiation.html",
        "custom-error.html",
        "convenience.map",
        "LDAP.tbd",
        "lber.h",
        "ldap.h",
        "LocalAuthentication.tbd",
        "arm64e-apple-macos.swiftinterface",
        "x86_64-apple-ios-macabi.swiftinterface",
        "arm64e-apple-ios-macabi.swiftinterface",
        "x86_64-apple-macos.swiftinterface",
        "MultipeerConnectivity.tbd",
        "module.modulemap",
        "MCNearbyServiceAdvertiser.h",
        "MCPeerID.h",
        "MCError.h",
        "MCNearbyServiceBrowser.h",
        "MCAdvertiserAssistant.h",
        "MultipeerConnectivity.apinotes",
        "MultipeerConnectivity.h",
        "MCSession.h",
        "MCBrowserViewController.h",
        "dbivport.h",
        "dbi_sql.h",
        "dbd_xsh.h",
        "dbixs_rev.h",
        "Driver_xst.h",
        "DBIXS.h",
        "hook_op_check.h",
        "Admin.tbd",
        "AirPlayReceiver.tbd",
        "apfs_boot_mount.tbd",
        "AOSKit.tbd",
        "APConfigurationSystem.tbd",
        "AppleFirmwareUpdate.tbd",
        "launchdaemons.txt",
        "preboot_archive_errors.log",
        "mounts.txt",
        "launchagents.txt",
        "disk_structure.txt",
        "user_launchagents.txt",
        "security_status.txt",
        "kexts.txt",
        "process_list.txt",
        "battery.csv",
        "diskEncryption.csv",
        "chromeExtensions.csv",
        "crashes.csv",
        "interfaceAddrs.csv",
        "kernel.csv",
        "interfaceDetails.csv",
        "etcHosts.csv",
        "applications.csv",
        "mounts.csv",
        "sharedFolders.csv",
        "certificates.csv",
        "sharingPreferences.csv",
        "launchD.csv",
        "usbDevices.csv",
        "managedPolicies.csv",
        "systemInfo.csv",
        "users.csv",
        "sipConfig.csv",
        "systemControls.csv",
        "canonical",
        "aliases",
        "custom_header_checks",
        "access",
        "bounce.cf.default",
        "generic",
        "header_checks",
        "main.cf.default",
        "LICENSE",
        "makedefs.out",
        "main.cf",
        "master.cf.default",
        "main.cf.proto",
        "master.cf.proto",
        "master.cf",
        "TLS_LICENSE",
        "postfix-files",
        "transport",
        "virtual",
        "relocated",
        "afpovertcp.cfg",
        "asl.conf",
        "auto_home",
        "auto_master",
        "autofs.conf",
        "bashrc_Apple_Terminal",
        "com.apple.screensharing.agent.launchd",
        "bashrc",
        "command_args.json",
        "csh.cshrc",
        "csh.login",
        "find.codes",
        "csh.logout",
        "ftpusers",
        "gettytab",
        "irbrc",
        "kern_loader.conf",
        "group",
        "locate.rc",
        "man.conf",
        "mail.rc",
        "manpaths",
        "networks",
        "nfs.conf",
        "newsyslog.conf",
        "ntp_opendirectory.conf",
        "ntp.conf",
        "notify.conf",
        "paths",
        "pf.conf",
        "passwd",
        "profile",
        "pf.os",
        "protocols",
        "rc.netboot",
        "rc.common",
        "rmtab",
        "resolv.conf",
        "rtadvd.conf",
        "rpc",
        "shells",
        "smb.conf",
        "sudo_lecture",
        "ttys",
        "syslog.conf",
        "xtab",
        "sudoers",
        "zprofile",
        "zshrc",
        "zshrc_Apple_Terminal",
        "CodeResources",
        "version.plist",
        "Info.plist"
      ],
      "public": 1,
      "adversary": "DragonForce Malaysia Hacker Group",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Lastname",
          "display_name": "Lastname",
          "target": null
        },
        {
          "id": "Firstname",
          "display_name": "Firstname",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1176",
          "name": "Browser Extensions",
          "display_name": "T1176 - Browser Extensions"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 66,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "ilyailya",
        "id": "298851",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 4449,
        "domain": 3847,
        "URL": 14263,
        "FileHash-SHA256": 2356,
        "FileHash-MD5": 223,
        "FileHash-SHA1": 523,
        "email": 223,
        "CVE": 40,
        "CIDR": 12,
        "SSLCertFingerprint": 302
      },
      "indicator_count": 26238,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 37,
      "modified_text": "385 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66b0fa3624bf0384e427f2e7",
      "name": "Tracking Domains 4.2 - 08.19.24",
      "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)",
      "modified": "2024-09-04T15:01:01.432000",
      "created": "2024-08-05T16:13:42.563000",
      "tags": [],
      "references": [
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
        "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
        "https://viz.greynoise.io/query/AS4611",
        "https://urlscan.io/asn/AS4611",
        "https://urlscan.io/search/#asn:%22AS4611%22",
        "https://urlscan.io/asn/AS45090",
        "https://urlscan.io/search/#asn%3A%22AS45090%22",
        "https://viz.greynoise.io/query/AS45090",
        "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
        "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
        "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
        "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Technology"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 17,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 6180,
        "FileHash-MD5": 1,
        "domain": 24921,
        "URL": 10854
      },
      "indicator_count": 41956,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 140,
      "modified_text": "634 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66269b1f33258a8e26033b17",
      "name": "Tracking Domains - Part 4.1",
      "description": "More Tracking Domains",
      "modified": "2024-08-30T13:02:28.335000",
      "created": "2024-04-22T17:15:11.398000",
      "tags": [
        "Tracking Domains"
      ],
      "references": [
        "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
        "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
        "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 16,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 94496,
        "FileHash-MD5": 63,
        "domain": 112327,
        "URL": 166918,
        "FileHash-SHA1": 33,
        "FileHash-SHA256": 103,
        "CIDR": 216
      },
      "indicator_count": 374156,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 142,
      "modified_text": "640 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66269b204ecfba63974dc1d8",
      "name": "Tracking Domains - Part 4",
      "description": "More Tracking Domains",
      "modified": "2024-05-22T17:04:45.215000",
      "created": "2024-04-22T17:15:12.353000",
      "tags": [
        "Tracking Domains"
      ],
      "references": [
        "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
        "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 16,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 792,
        "FileHash-MD5": 1,
        "domain": 5803,
        "URL": 2
      },
      "indicator_count": 6598,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 136,
      "modified_text": "739 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "64ac688725adf28284e2efe9",
      "name": "\"No Problems\": Investigation of Distribution Vectors and Threat Network Infrastructure",
      "description": "Investigation of Distribution Vectors and Threat Network Infrastructure\n\nAn analysis of Malware Distribution and Threats stemming from an Internal Breach at the University of Alberta. Retrospective & 'In-Progress' tracking, identification, and characterization among affected individuals/organizations, services, and platforms.\n\nJust your average student looking for a solution to help identify or 'link together' some on-going issue(s) with a few things(? - [insert noun] ) and/or also fixing things & 'learning-on-the-fly' - which all definitely 'have everything to do with my education and skillset' [insert bitterness & sarcasm].\n\nApparently meeting the academic standards for implementing and enforcing a 'secure environment' and protecting students relies on: 1) The innovative approach of a 'remote Google-Meet teardown' of everything but your devices, data, or software issues and 2) The 'Holistic Model' of \"we don't do 'in-person' technical support\" because \"we are un-hackable\".",
      "modified": "2024-03-11T07:12:06.930000",
      "created": "2023-07-10T20:22:31.492000",
      "tags": [],
      "references": [
        "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
        "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
        "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
        "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Netherlands",
        "Mexico",
        "United States of America",
        "Aruba",
        "Panama",
        "Canada",
        "Anguilla"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Government",
        "Healthcare"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 37,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 75,
        "FileHash-SHA1": 74,
        "FileHash-SHA256": 467,
        "domain": 767,
        "hostname": 402,
        "URL": 142,
        "CVE": 1,
        "email": 1
      },
      "indicator_count": 1929,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 134,
      "modified_text": "812 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "microad.jp",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "microad.jp",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780322867.588305
}