{
"type": "Domain",
"indicator": "microsoftdata.solutions",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/microsoftdata.solutions",
"alexa": "http://www.alexa.com/siteinfo/microsoftdata.solutions",
"indicator": "microsoftdata.solutions",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3384193118,
"indicator": "microsoftdata.solutions",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e2e5ed5d25f6949b1d752b",
"name": "CAPE Sandbox- The Unified Layer",
"description": "\"A public key has been issued by the US government to secure the signature of US President Barack Obama and US Secretary of State John Kerry, who both want to use it to send their private messages.\"",
"modified": "2026-04-18T04:07:44.254000",
"created": "2026-04-18T02:01:17.468000",
"tags": [
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cnr11",
"validity",
"subject public",
"key info",
"key algorithm",
"certificate",
"eig network",
"nethandle",
"net162",
"net1620000",
"layer",
"blueh2",
"layer orgid",
"south",
"east city",
"settings",
"first counter",
"default",
"inprocserver32",
"mbisslshort",
"bearer",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"info",
"bridge",
"accept",
"date",
"agent",
"shutdown",
"root",
"back"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776477807&Signature=oSRFzpQidegADbfg0MoAaOppxJPT%2BHBOfJDD0gT3CsqzdA4Tjoyves4A8yyH%2BI2qY4aff864krjBwpMFqHLhr4ph8NiNxA9fALzN1Tp4DVT5dD%2FeWXgVIj8kxAH%2BzCGLgscgTkiLeb5E6Zv0SQy%2By%2B3ASvjo1VRj4FLsixsH6uU6QKX0UmF2IPqI5UtfPUrb76d1fddT1PAGmtP1q6YxY44QADQhIxF6Y4MB4iqEVd2ItuD0eL"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 69,
"FileHash-SHA256": 274,
"hostname": 328,
"CIDR": 1,
"URL": 229,
"email": 2,
"IPv4": 152,
"domain": 60,
"FileHash-MD5": 587,
"CVE": 1
},
"indicator_count": 1703,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2bb3f596b9a99d6eb97c3",
"name": "unnamed group SOCradar clone by fraevolquez",
"description": "",
"modified": "2026-04-12T00:05:39.579000",
"created": "2026-03-12T13:10:23.942000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": "67733381a0cdad5d55f5166f",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6964c08bf79bcb252eaa9e15",
"name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers",
"description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
"modified": "2026-02-11T09:03:20.933000",
"created": "2026-01-12T09:36:11.701000",
"tags": [
"google",
"fastly",
"googlecl",
"january",
"http",
"domain",
"akamaias",
"cloudflar",
"page url",
"de summary",
"april",
"reverse dns",
"url https",
"general full",
"software",
"united",
"resource hash",
"protocol h3",
"security quic",
"protocol h2",
"security tls",
"main",
"present jan",
"title",
"gmt max",
"certificate",
"moved",
"lowfi",
"gmt content",
"meta",
"present dec",
"status",
"aaaa",
"passive dns",
"urls",
"search",
"expiration date",
"win32",
"files",
"verdict",
"files ip",
"address",
"mtb jan",
"trojandropper",
"backdoor",
"win32upatre jan",
"origin trial",
"gmt cache",
"443 ma2592000",
"possible",
"worm",
"trojan",
"ip address",
"record value",
"dark",
"found",
"ipv4 add",
"error",
"trojanspy",
"emails",
"servers",
"pegasus",
"america flag",
"america asn",
"tlsv1",
"read c",
"show",
"medium",
"lstockholm",
"ospotify ab",
"odigicert inc",
"execution",
"next",
"dock",
"write",
"persistence",
"dynamicloader",
"yara rule",
"ms windows",
"pe32",
"named pipe",
"smartassembly",
"delphi",
"malware",
"united states",
"pe file",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"high",
"write c",
"tls sni",
"tls handshake",
"delete",
"as15169",
"stun binding",
"request",
"port",
"win64",
"themida",
"guard",
"risepro",
"sha256",
"sha1",
"pattern match",
"ascii text",
"size",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"directui",
"element",
"hwndhost",
"classinfobase",
"hwndelement",
"value",
"explorer",
"insert",
"movie",
"hacktool",
"showing",
"entries http",
"scans show",
"california",
"location united",
"next associated",
"pulse pulses",
"name servers",
"found request",
"unique",
"url add",
"related nids",
"files location",
"expiration",
"flag united",
"present nov",
"present sep",
"href",
"suricata stream",
"command decode",
"starfield",
"encrypt",
"iframe",
"date",
"title error",
"hostname",
"pulse submit",
"memcommit",
"checks",
"windows",
"capture",
"cloudfront",
"colorado",
"creation date",
"hostname add",
"eset",
"binary file",
"pdb path",
"internalname",
"nod32",
"amon"
],
"references": [
"open.spotify.com \u2022",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"https://target.tccwest.www.littleswimmers.fr/",
"www.onyx-ware.com \u2022 endgamesystems.com",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Packed.Stealerc-10017074-0",
"display_name": "Win.Packed.Stealerc-10017074-0",
"target": null
},
{
"id": "#Lowfi:Win32/AutoIt",
"display_name": "#Lowfi:Win32/AutoIt",
"target": "/malware/#Lowfi:Win32/AutoIt"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "TrojanSpy:MSIL/Yakbeex.A",
"display_name": "TrojanSpy:MSIL/Yakbeex.A",
"target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32:HacktoolX-gen\\ [Trj]",
"display_name": "Win32:HacktoolX-gen\\ [Trj]",
"target": null
},
{
"id": "nUFS_unicode",
"display_name": "nUFS_unicode",
"target": null
},
{
"id": "HackTool:Win32/CobaltStrike.A",
"display_name": "HackTool:Win32/CobaltStrike.A",
"target": "/malware/HackTool:Win32/CobaltStrike.A"
},
{
"id": "Win.Dropper.PoisonIvy-9876745-0",
"display_name": "Win.Dropper.PoisonIvy-9876745-0",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Entertainment",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1293,
"URL": 3389,
"FileHash-MD5": 635,
"FileHash-SHA1": 531,
"FileHash-SHA256": 2345,
"domain": 501,
"email": 12,
"SSLCertFingerprint": 16
},
"indicator_count": 8722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69612a0df518040b20932bef",
"name": "Pahamify Pegasus | Palantir Malicious delivery via Bible app downloaded from iOS App Store",
"description": "Pahamify Pegasus | Requires much further research.\nWorking backwards: Targeted device had a Bible Gateway app download by target from both iOS and Android devices. As per report each time app was accessed, iOS became glitched, passwords stolen, drive by compromise on lock screen prompted target to review app. She found the app login was changed to an unknown users name. I tested a (Bible Gateway) URI to see if her belief BG was a honey pot was true. \nThis may take 2-3 more rounds of research. \nIs Pegasus. Is Palantir. Is intrusive and malicious.\n\n[OTC auto generated Title: 2 Timothy 3 NIV - But mark this: There will be terrible - Bible Gateway]",
"modified": "2026-02-08T15:00:50.749000",
"created": "2026-01-09T16:17:17.632000",
"tags": [
"defense evasion",
"cor ta0011",
"techni process",
"application l",
"encrypted ch",
"christ jesus",
"just",
"final charge",
"timothy10",
"antioch",
"iconium",
"lystra",
"lord",
"holy scriptures",
"scripture",
"bible gateway",
"no expiration",
"expiration",
"a domains",
"present sep",
"united",
"present jun",
"meta",
"present oct",
"present aug",
"servers",
"title",
"data upload",
"extraction",
"palantir foundry",
"listeners",
"dev",
"redirects",
"redirect health",
"health data",
"utc google",
"utc na",
"script",
"utc amazon",
"bible",
"meta tags",
"read",
"bible reading",
"trackers google",
"anchor",
"analyse headers",
"contenttype",
"transferenco",
"connection",
"date fri",
"server",
"read c",
"as16509",
"rgba",
"unicode",
"execution",
"dock",
"write",
"persistence",
"jsvendor",
"jsapp",
"script script",
"cssapp",
"jsfirebase",
"moved",
"urls",
"pegasus",
"encrypt",
"script urls",
"record value",
"tls handshake",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"next",
"capture",
"malware",
"unknown",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"access att",
"t1189 driveby",
"html",
"mitre att",
"ck matrix",
"ascii text",
"pattern match",
"et info",
"bad traffic",
"hybrid",
"general",
"local",
"path",
"click",
"adversaries",
"execution att",
"t1204 user",
"t1480 execution",
"null",
"refresh",
"span",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"timothy",
"search",
"tag manager",
"g8t6ln06z40",
"code",
"css",
"js",
"router",
"cloudfront",
"John 12:17",
"port",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"destination",
"loaderid",
"lidfileupd",
"stream"
],
"references": [
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"https://pegasus.pahamify.com/",
"aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com",
"equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com",
"usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/",
"https://inbound-message-listener-temporary-testing.palantirfoundry.com",
"https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com",
"https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/",
"http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a",
"https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com",
"John 12:17"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Bible Gateway",
"display_name": "Bible Gateway",
"target": null
},
{
"id": "Pahamify Pegasus",
"display_name": "Pahamify Pegasus",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
},
{
"id": "T1608.005",
"name": "Link Target",
"display_name": "T1608.005 - Link Target"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1566.002",
"name": "Spearphishing Link",
"display_name": "T1566.002 - Spearphishing Link"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6527,
"hostname": 2450,
"FileHash-SHA256": 1716,
"FileHash-MD5": 245,
"FileHash-SHA1": 134,
"domain": 1101,
"email": 3,
"SSLCertFingerprint": 8
},
"indicator_count": 12184,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "70 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6945800991b5d80bdbcd2168",
"name": "ET MALWARE Playtech Downloader Online Gaming Checkin Illegal Operations",
"description": "Related to multiple illegal operations.\nAppears to be an illegal gambling operation with many fronts. (In this instance. This compromise is obviously not exclusive to the content I present)\n\nTip: by NPDJoke - Thank you! \nDangerous. Not fully confirmed by me- involvement of Colorado Mafia Families.\nConfirmed: Colorado has a very rich history of mafia crimes including gambling involving doctors to food manufacturers. Multiple fronts. The entire \u2018Family\u2019 associations, etc, is diversified, working in many roles such as medical professionals, lawyers, music , computer engineers, hackers. Colorado is beautiful but very corrupt.\nConfirmed: The wrong suspects jailed, jabbed, and sometimes murderd.",
"modified": "2026-01-18T16:03:33.514000",
"created": "2025-12-19T16:40:41.842000",
"tags": [
"installer.exe",
"process32nextw",
"regsetvalueexa",
"regopenkeyexw",
"regdword",
"medium",
"regbinary",
"pupadware",
"http header",
"regsetvalueexw",
"loader",
"suspicious",
"persistence",
"execution",
"malware",
"win32 exe",
"pe32",
"intel",
"ms windows",
"win32 dynamic",
"link library",
"win16 ne",
"os2 executable",
"pe32 compiler",
"ltcgc",
"techniques y",
"none",
"scripting inte",
"registry",
"elevati t1548",
"hijack execut",
"y none",
"info",
"abuse elevation",
"control mec",
"flow l",
"plugins",
"plugx",
"backdoor",
"trojan",
"autoit",
"crossrider",
"modify",
"bootkit",
"abuse",
"casino",
"bet",
"ah",
"army",
"sabey",
"ahmann",
"dora true",
"persistence",
"injection",
"graham tech",
"danger",
"gambling",
"intellectual property",
"theft",
"bonu$",
"dago",
"colorado"
],
"references": [
"installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229",
"Christopher P \u2018Buzz\u2019 Ahman | Brian Sabey | Tulach | Graham Tech",
"Yara: Detections: stack_string | ConventionEngine_Keyword_Install |",
"Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation]",
"IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin",
"IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\\\ filepath observed in HTTP header",
"CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin",
"CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated",
"CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection.",
"http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze",
"cache.download2.casino.com",
"thebeautifulbet.com",
"Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo",
"http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9",
"http://geo.web-installer-assets.com/H",
"http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration",
"authrootstl.cab",
"ET MALWARE Playtech Downloader Online Gaming Checkin Malware",
"Command and Control Activity Detected",
"Proofpoint Emerging Threats Open X Context for the matching alerts",
"Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3",
"Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com",
"URL: http://cache.download2.casino.com/download/casino/client"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan.Playtech/Crossrider",
"display_name": "Trojan.Playtech/Crossrider",
"target": null
},
{
"id": "Trojan.Winterlove-28",
"display_name": "Trojan.Winterlove-28",
"target": null
},
{
"id": "TEL:Backdoor:Win32/PlugX",
"display_name": "TEL:Backdoor:Win32/PlugX",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBG!MTB",
"display_name": "Trojan:Win32/Zbot.SIBG!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBG!MTB"
},
{
"id": "#Lowfi:LUA:AutoItLargeFile",
"display_name": "#Lowfi:LUA:AutoItLargeFile",
"target": null
},
{
"id": "TELPER:HSTR:CLEAN:Ninite",
"display_name": "TELPER:HSTR:CLEAN:Ninite",
"target": null
},
{
"id": "#VirTool:Win32|Obfuscator.ADB",
"display_name": "#VirTool:Win32|Obfuscator.ADB",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1067",
"name": "Bootkit",
"display_name": "T1067 - Bootkit"
},
{
"id": "T1037",
"name": "Boot or Logon Initialization Scripts",
"display_name": "T1037 - Boot or Logon Initialization Scripts"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1463",
"name": "Manipulate Device Communication",
"display_name": "T1463 - Manipulate Device Communication"
},
{
"id": "T1401",
"name": "Device Administrator Permissions",
"display_name": "T1401 - Device Administrator Permissions"
},
{
"id": "T1413",
"name": "Access Sensitive Data in Device Logs",
"display_name": "T1413 - Access Sensitive Data in Device Logs"
},
{
"id": "T1450",
"name": "Exploit SS7 to Track Device Location",
"display_name": "T1450 - Exploit SS7 to Track Device Location"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 8,
"FileHash-SHA1": 7,
"FileHash-SHA256": 338,
"URL": 159,
"hostname": 115,
"domain": 82
},
"indicator_count": 709,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "91 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e9b142a8508d5257d1662",
"name": "Criminal Defender Chris Ahmann responsible for continued Apple hackathons removing IoC\u2019 l Targeting Tsara Brashears evidence of crime . Hit Man",
"description": "",
"modified": "2026-01-01T07:03:18.851000",
"created": "2025-12-02T07:53:56.560000",
"tags": [
"present nov",
"unknown aaaa",
"ip address",
"win32",
"america asn",
"twitter",
"united states",
"america",
"ipv4",
"united",
"a domains",
"443 ma86400",
"super",
"read c",
"memcommit",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"regsetvalueexa",
"hack",
"write",
"february",
"local",
"unknown",
"persistence",
"execution",
"xport",
"kb body",
"present aug",
"present sep",
"present oct",
"for privacy",
"false",
"expirestue",
"path",
"p2404",
"accept",
"p11762282638",
"host",
"gmt range",
"gmt ifnonematch",
"p11762466264",
"p11762417453",
"nothing",
"shutdown",
"process32nextw",
"langturkish",
"sublangdefault",
"regdword",
"rtrcdata",
"microsoft excel",
"delphi",
"worm",
"malware",
"error",
"next",
"format",
"suspicious",
"less see",
"contacted",
"all ip",
"domains",
"all related",
"pulses otx",
"related tags",
"file type",
"pexe",
"christopher ahmann",
"tam legal",
"treece",
"hacking",
"highjacking",
"modified",
"quasi government",
"ai google",
"inject",
"adversaries",
"government",
"insurance",
"apple"
],
"references": [
"External Apple Connection: Notepad.pw",
"Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h",
"takedown-communication-api.prod-c15a-awsuse.ppops.net",
"L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/",
"http://www.mohurd.gov.cn.lxcvc.com/",
"config.uca.cloud.unity3d.com",
"0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com",
"http://mp7tf.best-cell-phone-plans-for-seniors.cfd/",
"sipphone.com",
"uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq"
],
"public": 1,
"adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist",
"targeted_countries": [],
"malware_families": [
{
"id": "Win.Malware.004bf-6866449-0",
"display_name": "Win.Malware.004bf-6866449-0",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "Worn:Win32/AutoRun.XXY!bit",
"display_name": "Worn:Win32/AutoRun.XXY!bit",
"target": "/malware/Worn:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6907cc66855b7dfe1306b0d8",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2615,
"URL": 7437,
"hostname": 1765,
"domain": 686,
"FileHash-MD5": 448,
"FileHash-SHA1": 295,
"SSLCertFingerprint": 12,
"email": 1
},
"indicator_count": 13259,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "109 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6907cc66855b7dfe1306b0d8",
"name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting",
"description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.",
"modified": "2026-01-01T07:03:18.851000",
"created": "2025-11-02T21:25:58.814000",
"tags": [
"present nov",
"unknown aaaa",
"ip address",
"win32",
"america asn",
"twitter",
"united states",
"america",
"ipv4",
"united",
"a domains",
"443 ma86400",
"super",
"read c",
"memcommit",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"regsetvalueexa",
"hack",
"write",
"february",
"local",
"unknown",
"persistence",
"execution",
"xport",
"kb body",
"present aug",
"present sep",
"present oct",
"for privacy",
"false",
"expirestue",
"path",
"p2404",
"accept",
"p11762282638",
"host",
"gmt range",
"gmt ifnonematch",
"p11762466264",
"p11762417453",
"nothing",
"shutdown",
"process32nextw",
"langturkish",
"sublangdefault",
"regdword",
"rtrcdata",
"microsoft excel",
"delphi",
"worm",
"malware",
"error",
"next",
"format",
"suspicious",
"less see",
"contacted",
"all ip",
"domains",
"all related",
"pulses otx",
"related tags",
"file type",
"pexe",
"christopher ahmann",
"tam legal",
"treece",
"hacking",
"highjacking",
"modified",
"quasi government",
"ai google",
"inject",
"adversaries",
"government",
"insurance",
"apple"
],
"references": [
"External Apple Connection: Notepad.pw",
"Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h",
"takedown-communication-api.prod-c15a-awsuse.ppops.net",
"L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/",
"http://www.mohurd.gov.cn.lxcvc.com/",
"config.uca.cloud.unity3d.com",
"0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com",
"http://mp7tf.best-cell-phone-plans-for-seniors.cfd/",
"sipphone.com",
"uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq"
],
"public": 1,
"adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist",
"targeted_countries": [],
"malware_families": [
{
"id": "Win.Malware.004bf-6866449-0",
"display_name": "Win.Malware.004bf-6866449-0",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "Worn:Win32/AutoRun.XXY!bit",
"display_name": "Worn:Win32/AutoRun.XXY!bit",
"target": "/malware/Worn:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1184",
"name": "SSH Hijacking",
"display_name": "T1184 - SSH Hijacking"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
}
],
"industries": [
"Legal",
"Government",
"Healthcare",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2615,
"URL": 7521,
"hostname": 1775,
"domain": 689,
"FileHash-MD5": 448,
"FileHash-SHA1": 295,
"SSLCertFingerprint": 12,
"email": 1
},
"indicator_count": 13356,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "109 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68a0cb6a89a10d13623a0018",
"name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet",
"description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink",
"modified": "2025-09-15T16:04:47.043000",
"created": "2025-08-16T18:18:18.657000",
"tags": [
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"httponly",
"samesitelax",
"read c",
"medium",
"rgba",
"unicode",
"port",
"memcommit",
"delete",
"next",
"dock",
"write",
"execution",
"present aug",
"united",
"ip address",
"name servers",
"unknown ns",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"pattern match",
"show technique",
"ck matrix",
"refresh",
"body",
"span",
"august",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"href",
"size",
"t1480 execution",
"file defense",
"ascii text",
"trojan",
"passive dns",
"trojandropper",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"ipv4 add",
"urls",
"files",
"location united",
"ipv4",
"url analysis",
"america flag",
"america asn",
"backdoor",
"win32",
"malware",
"date",
"domain",
"segoe ui",
"a domains",
"security tls",
"san jose",
"asn8075",
"reverse dns",
"software",
"resource hash",
"general full",
"status",
"emails",
"expiration date",
"asp",
"microsoft oem",
"found",
"running webserver",
"netherlands",
"creation date",
"aaaa",
"certificate",
"protocol h2",
"name value",
"hash",
"present jun",
"present apr",
"moved",
"control att",
"t1573 encrypted",
"channel command",
"decrypted ssl",
"runtime process",
"appdata",
"windows nt",
"svg scalable",
"patch",
"internal",
"core",
"high",
"tcp syn",
"icmp traffic",
"dns query",
"av detections",
"ashburn",
"ai device id",
"telnet",
"windows script",
"microsoft",
"host",
"yara detections",
"pdb path",
"pe resource",
"script host",
"test",
"hostname add",
"files ip",
"domains",
"hashes",
"ireland",
"mtb jun",
"mtb may",
"device local",
"remotewd",
"nemtih",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses otx",
"present jul",
"domain add",
"colorado",
"quasi",
"contracts",
"botnet",
"remote access",
"virginia",
"c++",
"hacking",
"monitored target",
"silencing campaign",
"audio recording",
"cameras",
"full service",
"tactics"
],
"references": [
"Handled by Lumen Technologies | What kind of darkness is this?",
"https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider",
"dev.myhpnmedicaid.com",
"ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113",
"https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f",
"https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851",
"https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5",
"Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet",
"Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/",
"https://dotnet.microsoft.com/en-us/apps/aspnet",
"ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .",
"ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.",
"ASP.net Open source. A framework for building web apps and services with .NET and C#",
"Registrant Org: Japan Computer Emergency Response Team Coordination Center",
"Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com",
"Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/",
"Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx",
"Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com",
"http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "Trojan:Win32/Daws",
"display_name": "Trojan:Win32/Daws",
"target": "/malware/Trojan:Win32/Daws"
},
{
"id": "ELF:Mirai-ATI",
"display_name": "ELF:Mirai-ATI",
"target": null
},
{
"id": "Trojan:Win32/IRCbot",
"display_name": "Trojan:Win32/IRCbot",
"target": "/malware/Trojan:Win32/IRCbot"
},
{
"id": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Trojandropper:Win32/Muldrop.V!MTB",
"display_name": "Trojandropper:Win32/Muldrop.V!MTB",
"target": "/malware/Trojandropper:Win32/Muldrop.V!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1001.003",
"name": "Protocol Impersonation",
"display_name": "T1001.003 - Protocol Impersonation"
},
{
"id": "T1092",
"name": "Communication Through Removable Media",
"display_name": "T1092 - Communication Through Removable Media"
},
{
"id": "T1433",
"name": "Access Call Log",
"display_name": "T1433 - Access Call Log"
}
],
"industries": [
"Technology",
"Telecommunications",
"Contracts",
"Government",
"Finance",
"Insurance",
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4880,
"domain": 575,
"hostname": 1419,
"FileHash-SHA256": 1745,
"FileHash-MD5": 284,
"FileHash-SHA1": 263,
"email": 5,
"CVE": 1
},
"indicator_count": 9172,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "216 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "689b9b9fab42ca4f016a226f",
"name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)",
"description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +",
"modified": "2025-09-11T13:03:18.814000",
"created": "2025-08-12T19:53:03.953000",
"tags": [
"url http",
"url https",
"indicator role",
"title added",
"active related",
"pulses url",
"entries",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"mitre att",
"ck techniques",
"evasion att",
"href",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"show technique",
"ck matrix",
"null",
"refresh",
"body",
"span",
"general",
"local",
"path",
"iframe",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"united",
"unknown ns",
"ip address",
"creation date",
"search",
"present sep",
"moved",
"domain add",
"encrypt",
"accept",
"please",
"passive dns",
"msie",
"next associated",
"html",
"background",
"unknown site",
"div div",
"trojan",
"zeus",
"process32nextw",
"read c",
"show",
"shellexecuteexw",
"windows nt",
"wow64",
"copy",
"dock",
"write",
"malware",
"unknown",
"defense evasion",
"t1480 execution",
"file defense",
"august",
"hybrid",
"port",
"destination",
"tlsv1",
"as15169",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"persistence",
"data upload",
"extraction",
"win32",
"ransom",
"trojandropper",
"mtb nov",
"forcud",
"files show",
"date hash",
"avast avg"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4179,
"domain": 774,
"hostname": 1673,
"FileHash-MD5": 169,
"FileHash-SHA1": 110,
"FileHash-SHA256": 2073,
"email": 1,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 8993,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "220 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68732864356c4353e0b1efe2",
"name": "Denver Post - Custom Malware | Xord",
"description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232",
"modified": "2025-08-12T03:05:26.037000",
"created": "2025-07-13T03:30:44.589000",
"tags": [
"url https",
"indicator role",
"title added",
"active related",
"pulses",
"entries",
"url http",
"domain",
"ipv4",
"filehashsha256",
"hostname",
"types of",
"united kingdom",
"united",
"germany",
"france",
"type indicator",
"role title",
"added active",
"related pulses",
"extraction",
"data upload",
"failed",
"se extraction",
"enter sc",
"type",
"extra data",
"please",
"include review",
"exclude sugges",
"type ol",
"please sub",
"langes",
"include",
"review data",
"extrad",
"manually add",
"indicator",
"sc type",
"included iocs",
"se extr",
"review exclude",
"sugges",
"extract data",
"add indicator",
"domain related",
"showing",
"tewdida data",
"present jul",
"script urls",
"a domains",
"present jun",
"search",
"accept encoding",
"unknown aaaa",
"present may",
"date",
"meta",
"body",
"ipv6",
"role",
"present jan",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"regexp",
"typeof e",
"typeof t",
"function",
"width",
"error",
"object",
"x20trnf",
"pseudo",
"child",
"form",
"class",
"null",
"write",
"this",
"void",
"accept",
"copy",
"extr please",
"typ data",
"indicalok no",
"gmt max",
"reverse dns",
"location united",
"america flag",
"ashburn",
"america asn",
"dns resolutions",
"domains top",
"extri please",
"review",
"sugges data",
"find suxesteu",
"typ indical",
"on hos",
"dynamicloader",
"medium",
"show",
"high",
"windows",
"cmd c",
"delete",
"next",
"unknown",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"as15169",
"execution",
"dock",
"persistence",
"malware",
"roboto",
"fwlink",
"powershell",
"delete c",
"guard",
"win32",
"passive dns",
"ransom",
"trojan",
"gmt cache",
"sameorigin",
"443 ma2592000",
"pulse",
"trojandropper",
"worm",
"ur extraction",
"find",
"types",
"seard data",
"source se",
"url toi",
"ela fer",
"iocs",
"search otx",
"extr",
"indicators h",
"weall",
"indica",
"sc data",
"data u",
"extre",
"find s",
"onv incmde",
"exclude data",
"suggested",
"typ no"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3107,
"domain": 526,
"hostname": 940,
"FileHash-SHA256": 2209,
"email": 2,
"FileHash-MD5": 80,
"FileHash-SHA1": 31,
"SSLCertFingerprint": 11
},
"indicator_count": 6906,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "251 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68732869bad70de69c45c1b3",
"name": "Denver Post - Custom Malware | Xord",
"description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232",
"modified": "2025-08-12T03:05:26.037000",
"created": "2025-07-13T03:30:49.347000",
"tags": [
"url https",
"indicator role",
"title added",
"active related",
"pulses",
"entries",
"url http",
"domain",
"ipv4",
"filehashsha256",
"hostname",
"types of",
"united kingdom",
"united",
"germany",
"france",
"type indicator",
"role title",
"added active",
"related pulses",
"extraction",
"data upload",
"failed",
"se extraction",
"enter sc",
"type",
"extra data",
"please",
"include review",
"exclude sugges",
"type ol",
"please sub",
"langes",
"include",
"review data",
"extrad",
"manually add",
"indicator",
"sc type",
"included iocs",
"se extr",
"review exclude",
"sugges",
"extract data",
"add indicator",
"domain related",
"showing",
"tewdida data",
"present jul",
"script urls",
"a domains",
"present jun",
"search",
"accept encoding",
"unknown aaaa",
"present may",
"date",
"meta",
"body",
"ipv6",
"role",
"present jan",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"regexp",
"typeof e",
"typeof t",
"function",
"width",
"error",
"object",
"x20trnf",
"pseudo",
"child",
"form",
"class",
"null",
"write",
"this",
"void",
"accept",
"copy",
"extr please",
"typ data",
"indicalok no",
"gmt max",
"reverse dns",
"location united",
"america flag",
"ashburn",
"america asn",
"dns resolutions",
"domains top",
"extri please",
"review",
"sugges data",
"find suxesteu",
"typ indical",
"on hos",
"dynamicloader",
"medium",
"show",
"high",
"windows",
"cmd c",
"delete",
"next",
"unknown",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"read c",
"as15169",
"execution",
"dock",
"persistence",
"malware",
"roboto",
"fwlink",
"powershell",
"delete c",
"guard",
"win32",
"passive dns",
"ransom",
"trojan",
"gmt cache",
"sameorigin",
"443 ma2592000",
"pulse",
"trojandropper",
"worm",
"ur extraction",
"find",
"types",
"seard data",
"source se",
"url toi",
"ela fer",
"iocs",
"search otx",
"extr",
"indicators h",
"weall",
"indica",
"sc data",
"data u",
"extre",
"find s",
"onv incmde",
"exclude data",
"suggested",
"typ no"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3107,
"domain": 526,
"hostname": 940,
"FileHash-SHA256": 2209,
"email": 2,
"FileHash-MD5": 80,
"FileHash-SHA1": 31,
"SSLCertFingerprint": 11
},
"indicator_count": 6906,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "251 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68361628539ed40883b8ee66",
"name": "Cycbot | Prevents affected individuals from contacting intended entities ",
"description": "",
"modified": "2025-06-26T19:05:21.983000",
"created": "2025-05-27T19:44:40.311000",
"tags": [
"backdoor",
"hstr",
"checkin",
"entries",
"urls",
"files",
"location united",
"america flag",
"united",
"america asn",
"trojandropper",
"ransom",
"trojan",
"cycbot",
"hash avast",
"avg clamav",
"msdefender jan",
"virtool",
"cves all",
"time",
"alfper",
"less see",
"all av"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "683614d951f4e789950071b3",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 24,
"FileHash-MD5": 159,
"FileHash-SHA1": 159,
"FileHash-SHA256": 1440,
"domain": 128,
"hostname": 236,
"email": 1
},
"indicator_count": 2147,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "297 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "683614d951f4e789950071b3",
"name": "Malicious blockade",
"description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||",
"modified": "2025-06-26T19:05:21.983000",
"created": "2025-05-27T19:39:05.470000",
"tags": [
"backdoor",
"hstr",
"checkin",
"entries",
"urls",
"files",
"location united",
"america flag",
"united",
"america asn",
"trojandropper",
"ransom",
"trojan",
"cycbot",
"hash avast",
"avg clamav",
"msdefender jan",
"virtool",
"cves all",
"time",
"alfper",
"less see",
"all av"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 24,
"FileHash-MD5": 159,
"FileHash-SHA1": 159,
"FileHash-SHA256": 1440,
"domain": 128,
"hostname": 236,
"email": 1
},
"indicator_count": 2147,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "297 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67733b72d522398f5ea0a12d",
"name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar",
"description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024",
"modified": "2025-01-30T00:00:18.927000",
"created": "2024-12-31T00:31:46.858000",
"tags": [
"cve201711882",
"cve20201472"
],
"references": [],
"public": 1,
"adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2631,
"FileHash-SHA1": 2168,
"FileHash-SHA256": 3401,
"CVE": 25,
"domain": 977,
"hostname": 1226
},
"indicator_count": 10428,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "445 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6773339803fe4b775f7adbbc",
"name": "Unnamed group Socradar december 2024 Dominican Republic",
"description": "Unnamed group Socradar december 2024 Dominican Republic",
"modified": "2025-01-29T23:03:56.990000",
"created": "2024-12-30T23:58:16.590000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 59,
"modified_text": "445 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67733387cf721a39ea7cc07b",
"name": "Unnamed group Socradar december 2024 Dominican Republic",
"description": "Unnamed group Socradar december 2024 Dominican Republic",
"modified": "2025-01-29T23:03:56.990000",
"created": "2024-12-30T23:57:59.507000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 60,
"modified_text": "445 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67733381a0cdad5d55f5166f",
"name": "Unnamed group Socradar december 2024 Dominican Republic",
"description": "Unnamed group Socradar december 2024 Dominican Republic",
"modified": "2025-01-29T23:03:56.990000",
"created": "2024-12-30T23:57:53.741000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fraevolquez",
"id": "91700",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 58,
"modified_text": "445 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66f9980dbc0f1360dfdb7ac5",
"name": "fbf29190e5e37fdd3962682e44b092fe8158b09deaf83cc2052c97d2a80e59ee // hxxp://www[.]microsoft[.]com/pkiops/crl/MicSecSerCA2011_2011-10-18[.]crl",
"description": "https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark\n\nVT Graph of: fbf29190e5e37fdd3962682e44b092fe8158b09deaf83cc2052c97d2a80e59ee // hxxp://www[.]microsoft[.]com/pkiops/crl/MicSecSerCA2011_2011-10-18[.]crl",
"modified": "2024-10-31T22:02:55.263000",
"created": "2024-09-29T18:10:21.653000",
"tags": [
"entity",
"Certificates",
"Malcerts"
],
"references": [
"https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark",
"http://www.hybrid-analysis.com/file-collection/66fac68ee418a841c80f2f92",
"http://www.hybrid-analysis.com/file-collection/66fac9127c919f69780c6f51",
"http://www.hybrid-analysis.com/file-collection/66faca03bf2d577d0707447e",
"http://www.hybrid-analysis.com/file-collection/66faca7c1e2a6e5879090c09",
"http://www.hybrid-analysis.com/file-collection/66facaef84282adfb805d499",
"http://www.hybrid-analysis.com/file-collection/66fac600ca930ea26b059ede",
"http://www.hybrid-analysis.com/file-collection/66fac890b85c51f0a00bb153",
"http://www.hybrid-analysis.com/file-collection/66fac7f30821b4aa5f0666ed",
"http://www.hybrid-analysis.com/file-collection/66fac7871e2a6e58790909fe",
"http://www.hybrid-analysis.com/file-collection/66fac6de4c7499ee5303356c",
"http://www.hybrid-analysis.com/file-collection/66fac978202166e31d059f2e",
"http://www.hybrid-analysis.com/file-collection/66fac56e9086d458e6064fea",
"https://urlscan.io/api/v1/result/5dea4d73-564a-4a37-88ef-da841b2bb274/",
"https://urlscan.io/result/5dea4d73-564a-4a37-88ef-da841b2bb274/",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/community",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/iocs",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/graph"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications",
"Technology",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 793,
"FileHash-SHA1": 716,
"FileHash-SHA256": 9805,
"URL": 2314,
"domain": 1937,
"hostname": 2958,
"CVE": 21
},
"indicator_count": 18544,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "535 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67176428e4871c2726288178",
"name": "Android",
"description": "",
"modified": "2024-10-25T00:05:34.912000",
"created": "2024-10-22T08:36:56.514000",
"tags": [
"read c",
"write c",
"create c",
"delete c",
"process32nextw",
"langchinese",
"search",
"regsetvalueexa",
"medium",
"show",
"trojan",
"malware",
"copy",
"write",
"win32",
"tools",
"persistence",
"execution",
"local",
"next",
"count",
"august",
"scan endpoints",
"all scoreblue",
"url http",
"pulse pulses",
"http",
"domain",
"passive dns",
"urls",
"files related",
"pulses otx",
"unknown",
"cname",
"files",
"ip address",
"as16276",
"spain unknown",
"meta name",
"frame src",
"ok set",
"cookie",
"gmt date",
"gmt content",
"encrypt",
"france",
"nxdomain",
"ns nxdomain",
"aaaa nxdomain",
"name servers",
"soa nxdomain",
"moved",
"creation date",
"date",
"body",
"aaaa",
"asnone belgium",
"united kingdom",
"as16276 ovh",
"sha256",
"maltaterfb",
"showing",
"total",
"read",
"delete",
"default",
"systemroot",
"high",
"virtool",
"virustotal",
"hacktool",
"drweb",
"vipre",
"panda",
"et trojan",
"msie",
"windows nt",
"entries",
"ascii text",
"intel",
"ms windows",
"salicode",
"emails",
"expiration date",
"france unknown",
"taskmail",
"task3dmail",
"capspdf1",
"mboxinbox",
"actionshow",
"twitter",
"canada unknown",
"error",
"ipv4",
"backend",
"alfper",
"gmt contenttype",
"gmt server",
"apache",
"exploit",
"hostname",
"dynamicloader",
"yara rule",
"delivery",
"alpha criteria",
"inno setup",
"format",
"june",
"stack",
"dummy",
"overview domain",
"pulses",
"tags",
"related tags",
"google safe",
"browsing",
"record type",
"ttl value",
"status",
"united",
"asnone united",
"record value",
"trojanproxy",
"servers",
"as15169 google",
"for privacy",
"domains ii",
"ransom",
"checks",
"bios",
"cpu name",
"dynamic",
"filehash",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"technology",
"dns replication",
"system label",
"cloudflarenet",
"apnic",
"south brisbane",
"asia pacific",
"apnic whois",
"po box",
"cordelia st",
"comment",
"apnic research",
"nethandle",
"arin",
"andariel",
"yara detections",
"malware traffic",
"nids",
"icmp traffic",
"dns query",
"tcp syn",
"resolverror",
"externalport",
"internalport",
"http headers",
"home network",
"pulse submit",
"url analysis",
"mitre att",
"ta0002 shared",
"modules t1129",
"windows",
"ta0004 access",
"t1134",
"defense evasion",
"xor encrypt",
"rc4 prga",
"catalog tree",
"analysis ob0001",
"analysis ob0002",
"command",
"control ob0004",
"ob0005 defense",
"evasion ob0006",
"file system",
"oc0001 process",
"oc0003 data",
"hashes c2ae",
"capa",
"cape sandbox",
"lastline",
"microsoft",
"memory pattern",
"dns resolutions",
"ip traffic",
"urls tcp",
"tiger rat",
"hi",
"helping sabey"
],
"references": [
"Andariel Backdoor Activity (Checkin)",
"IDS: WGET Command Specifying Output in HTTP Headers",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media",
"Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Tonmye",
"display_name": "Trojan:Win32/Tonmye",
"target": "/malware/Trojan:Win32/Tonmye"
},
{
"id": "Win32:Kamso",
"display_name": "Win32:Kamso",
"target": null
},
{
"id": "VirTool:Win32/CeeInject.GF",
"display_name": "VirTool:Win32/CeeInject.GF",
"target": "/malware/VirTool:Win32/CeeInject.GF"
},
{
"id": "ALFPER:PUA:Win32/InstallCore",
"display_name": "ALFPER:PUA:Win32/InstallCore",
"target": null
},
{
"id": "Trojan:Win32/Tonmye!rfn",
"display_name": "Trojan:Win32/Tonmye!rfn",
"target": "/malware/Trojan:Win32/Tonmye!rfn"
},
{
"id": "Ransom:Win32/Ako",
"display_name": "Ransom:Win32/Ako",
"target": "/malware/Ransom:Win32/Ako"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "ARIN",
"display_name": "ARIN",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "ELF:DDoS-Y\\ [Trj]",
"display_name": "ELF:DDoS-Y\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Trojan[APT]/Win32.Lazarus",
"display_name": "Trojan[APT]/Win32.Lazarus",
"target": null
}
],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "66eeef55e2c1ec3a4fa60ef4",
"export_count": 33,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": true,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "jefivnguyen",
"id": "293031",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 889,
"FileHash-SHA1": 817,
"FileHash-SHA256": 3623,
"domain": 755,
"SSLCertFingerprint": 1,
"URL": 396,
"hostname": 732,
"email": 14,
"CVE": 3,
"CIDR": 2
},
"indicator_count": 7232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 37,
"modified_text": "542 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66eeef55e2c1ec3a4fa60ef4",
"name": "Android",
"description": "",
"modified": "2024-10-25T00:05:34.912000",
"created": "2024-09-21T16:07:49.763000",
"tags": [
"read c",
"write c",
"create c",
"delete c",
"process32nextw",
"langchinese",
"search",
"regsetvalueexa",
"medium",
"show",
"trojan",
"malware",
"copy",
"write",
"win32",
"tools",
"persistence",
"execution",
"local",
"next",
"count",
"august",
"scan endpoints",
"all scoreblue",
"url http",
"pulse pulses",
"http",
"domain",
"passive dns",
"urls",
"files related",
"pulses otx",
"unknown",
"cname",
"files",
"ip address",
"as16276",
"spain unknown",
"meta name",
"frame src",
"ok set",
"cookie",
"gmt date",
"gmt content",
"encrypt",
"france",
"nxdomain",
"ns nxdomain",
"aaaa nxdomain",
"name servers",
"soa nxdomain",
"moved",
"creation date",
"date",
"body",
"aaaa",
"asnone belgium",
"united kingdom",
"as16276 ovh",
"sha256",
"maltaterfb",
"showing",
"total",
"read",
"delete",
"default",
"systemroot",
"high",
"virtool",
"virustotal",
"hacktool",
"drweb",
"vipre",
"panda",
"et trojan",
"msie",
"windows nt",
"entries",
"ascii text",
"intel",
"ms windows",
"salicode",
"emails",
"expiration date",
"france unknown",
"taskmail",
"task3dmail",
"capspdf1",
"mboxinbox",
"actionshow",
"twitter",
"canada unknown",
"error",
"ipv4",
"backend",
"alfper",
"gmt contenttype",
"gmt server",
"apache",
"exploit",
"hostname",
"dynamicloader",
"yara rule",
"delivery",
"alpha criteria",
"inno setup",
"format",
"june",
"stack",
"dummy",
"overview domain",
"pulses",
"tags",
"related tags",
"google safe",
"browsing",
"record type",
"ttl value",
"status",
"united",
"asnone united",
"record value",
"trojanproxy",
"servers",
"as15169 google",
"for privacy",
"domains ii",
"ransom",
"checks",
"bios",
"cpu name",
"dynamic",
"filehash",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"technology",
"dns replication",
"system label",
"cloudflarenet",
"apnic",
"south brisbane",
"asia pacific",
"apnic whois",
"po box",
"cordelia st",
"comment",
"apnic research",
"nethandle",
"arin",
"andariel",
"yara detections",
"malware traffic",
"nids",
"icmp traffic",
"dns query",
"tcp syn",
"resolverror",
"externalport",
"internalport",
"http headers",
"home network",
"pulse submit",
"url analysis",
"mitre att",
"ta0002 shared",
"modules t1129",
"windows",
"ta0004 access",
"t1134",
"defense evasion",
"xor encrypt",
"rc4 prga",
"catalog tree",
"analysis ob0001",
"analysis ob0002",
"command",
"control ob0004",
"ob0005 defense",
"evasion ob0006",
"file system",
"oc0001 process",
"oc0003 data",
"hashes c2ae",
"capa",
"cape sandbox",
"lastline",
"microsoft",
"memory pattern",
"dns resolutions",
"ip traffic",
"urls tcp",
"tiger rat",
"hi",
"helping sabey"
],
"references": [
"Andariel Backdoor Activity (Checkin)",
"IDS: WGET Command Specifying Output in HTTP Headers",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media",
"Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Tonmye",
"display_name": "Trojan:Win32/Tonmye",
"target": "/malware/Trojan:Win32/Tonmye"
},
{
"id": "Win32:Kamso",
"display_name": "Win32:Kamso",
"target": null
},
{
"id": "VirTool:Win32/CeeInject.GF",
"display_name": "VirTool:Win32/CeeInject.GF",
"target": "/malware/VirTool:Win32/CeeInject.GF"
},
{
"id": "ALFPER:PUA:Win32/InstallCore",
"display_name": "ALFPER:PUA:Win32/InstallCore",
"target": null
},
{
"id": "Trojan:Win32/Tonmye!rfn",
"display_name": "Trojan:Win32/Tonmye!rfn",
"target": "/malware/Trojan:Win32/Tonmye!rfn"
},
{
"id": "Ransom:Win32/Ako",
"display_name": "Ransom:Win32/Ako",
"target": "/malware/Ransom:Win32/Ako"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "ARIN",
"display_name": "ARIN",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "ELF:DDoS-Y\\ [Trj]",
"display_name": "ELF:DDoS-Y\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Trojan[APT]/Win32.Lazarus",
"display_name": "Trojan[APT]/Win32.Lazarus",
"target": null
}
],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "66ebda7ebbe759bb12cebd4a",
"export_count": 43,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "MayDay23",
"id": "292773",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 889,
"FileHash-SHA1": 817,
"FileHash-SHA256": 3623,
"domain": 755,
"SSLCertFingerprint": 1,
"URL": 396,
"hostname": 732,
"email": 14,
"CVE": 3,
"CIDR": 2
},
"indicator_count": 7232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 10,
"modified_text": "542 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66ebda7ebbe759bb12cebd4a",
"name": "Andariel Backdoor Activity - Mirai found in Android",
"description": "Andariel Backdoor Activity: Cited as a state sponsored threat group, this ET malware Check in) can be accessed by decent hackers. Found in a targets android device. \n\nDevice being used to attack , manipulate accounts , files and every CnC Botmaster task desired.\n\nNote:. Hack responsibly.. Stop attacking innocent civilians.",
"modified": "2024-10-19T07:01:20.116000",
"created": "2024-09-19T08:02:06.265000",
"tags": [
"read c",
"write c",
"create c",
"delete c",
"process32nextw",
"langchinese",
"search",
"regsetvalueexa",
"medium",
"show",
"trojan",
"malware",
"copy",
"write",
"win32",
"tools",
"persistence",
"execution",
"local",
"next",
"count",
"august",
"scan endpoints",
"all scoreblue",
"url http",
"pulse pulses",
"http",
"domain",
"passive dns",
"urls",
"files related",
"pulses otx",
"unknown",
"cname",
"files",
"ip address",
"as16276",
"spain unknown",
"meta name",
"frame src",
"ok set",
"cookie",
"gmt date",
"gmt content",
"encrypt",
"france",
"nxdomain",
"ns nxdomain",
"aaaa nxdomain",
"name servers",
"soa nxdomain",
"moved",
"creation date",
"date",
"body",
"aaaa",
"asnone belgium",
"united kingdom",
"as16276 ovh",
"sha256",
"maltaterfb",
"showing",
"total",
"read",
"delete",
"default",
"systemroot",
"high",
"virtool",
"virustotal",
"hacktool",
"drweb",
"vipre",
"panda",
"et trojan",
"msie",
"windows nt",
"entries",
"ascii text",
"intel",
"ms windows",
"salicode",
"emails",
"expiration date",
"france unknown",
"taskmail",
"task3dmail",
"capspdf1",
"mboxinbox",
"actionshow",
"twitter",
"canada unknown",
"error",
"ipv4",
"backend",
"alfper",
"gmt contenttype",
"gmt server",
"apache",
"exploit",
"hostname",
"dynamicloader",
"yara rule",
"delivery",
"alpha criteria",
"inno setup",
"format",
"june",
"stack",
"dummy",
"overview domain",
"pulses",
"tags",
"related tags",
"google safe",
"browsing",
"record type",
"ttl value",
"status",
"united",
"asnone united",
"record value",
"trojanproxy",
"servers",
"as15169 google",
"for privacy",
"domains ii",
"ransom",
"checks",
"bios",
"cpu name",
"dynamic",
"filehash",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"technology",
"dns replication",
"system label",
"cloudflarenet",
"apnic",
"south brisbane",
"asia pacific",
"apnic whois",
"po box",
"cordelia st",
"comment",
"apnic research",
"nethandle",
"arin",
"andariel",
"yara detections",
"malware traffic",
"nids",
"icmp traffic",
"dns query",
"tcp syn",
"resolverror",
"externalport",
"internalport",
"http headers",
"home network",
"pulse submit",
"url analysis",
"mitre att",
"ta0002 shared",
"modules t1129",
"windows",
"ta0004 access",
"t1134",
"defense evasion",
"xor encrypt",
"rc4 prga",
"catalog tree",
"analysis ob0001",
"analysis ob0002",
"command",
"control ob0004",
"ob0005 defense",
"evasion ob0006",
"file system",
"oc0001 process",
"oc0003 data",
"hashes c2ae",
"capa",
"cape sandbox",
"lastline",
"microsoft",
"memory pattern",
"dns resolutions",
"ip traffic",
"urls tcp",
"tiger rat",
"hi",
"helping sabey"
],
"references": [
"Andariel Backdoor Activity (Checkin)",
"IDS: WGET Command Specifying Output in HTTP Headers",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media",
"Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Tonmye",
"display_name": "Trojan:Win32/Tonmye",
"target": "/malware/Trojan:Win32/Tonmye"
},
{
"id": "Win32:Kamso",
"display_name": "Win32:Kamso",
"target": null
},
{
"id": "VirTool:Win32/CeeInject.GF",
"display_name": "VirTool:Win32/CeeInject.GF",
"target": "/malware/VirTool:Win32/CeeInject.GF"
},
{
"id": "ALFPER:PUA:Win32/InstallCore",
"display_name": "ALFPER:PUA:Win32/InstallCore",
"target": null
},
{
"id": "Trojan:Win32/Tonmye!rfn",
"display_name": "Trojan:Win32/Tonmye!rfn",
"target": "/malware/Trojan:Win32/Tonmye!rfn"
},
{
"id": "Ransom:Win32/Ako",
"display_name": "Ransom:Win32/Ako",
"target": "/malware/Ransom:Win32/Ako"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "ARIN",
"display_name": "ARIN",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "ELF:DDoS-Y\\ [Trj]",
"display_name": "ELF:DDoS-Y\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Trojan[APT]/Win32.Lazarus",
"display_name": "Trojan[APT]/Win32.Lazarus",
"target": null
}
],
"attack_ids": [
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 889,
"FileHash-SHA1": 817,
"FileHash-SHA256": 3623,
"domain": 755,
"SSLCertFingerprint": 1,
"URL": 396,
"hostname": 732,
"email": 14,
"CVE": 3,
"CIDR": 2
},
"indicator_count": 7232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 234,
"modified_text": "548 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "661858cf6ac4c024886515d7",
"name": "Windows Sample of Windows - System32",
"description": "An analysis of Malware Distribution and Threats stemming from an ongoing breach at the University of Alberta. Retrospective & In-Progress tracking, identification, and characterization among affected individuals/organizations/sectors affected by misuse of credentials.\n\nA deeper dive into malicious files on samples of System32 gathered from the UofA as well as from Sample W11 PC",
"modified": "2024-09-27T22:03:43.303000",
"created": "2024-04-11T21:40:31.045000",
"tags": [],
"references": [
"https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary",
"https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark",
"https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html",
"https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs",
"https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark",
"https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv",
"https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark",
"https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S",
"updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark",
"https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1542.003",
"name": "Bootkit",
"display_name": "T1542.003 - Bootkit"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Education",
"Government",
"Technology",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1329,
"FileHash-SHA1": 1302,
"FileHash-SHA256": 9051,
"domain": 1341,
"hostname": 4941,
"URL": 1903,
"CVE": 3
},
"indicator_count": 19870,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 131,
"modified_text": "569 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c607c354336e9c19aa3e1f",
"name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio",
"description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.",
"modified": "2024-03-10T11:05:48.248000",
"created": "2024-02-09T11:08:51.939000",
"tags": [
"url http",
"united",
"unknown",
"search",
"status",
"creation date",
"date",
"expiration date",
"showing",
"as201682 liquid",
"as32244 liquid",
"trojan",
"passive dns",
"entries",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"open",
"win32",
"body",
"date hash",
"avast avg",
"lowfi",
"ssl certificate",
"contacted",
"whois whois",
"sdhyzbh7v http",
"whois record",
"execution",
"apple ios",
"historical ssl",
"resolutions",
"sdhyzbh7v",
"attack",
"ransomexx",
"quasar",
"asyncrat",
"hacktool",
"maze",
"find",
"hell",
"crypto",
"remcosrat",
"worm",
"first",
"utc submissions",
"submitters",
"computer",
"company limited",
"gandi sas",
"porkbun llc",
"ovh sas",
"summary iocs",
"graph community",
"as63949 linode",
"for privacy",
"asnone united",
"as174 cogent",
"as197695 domain",
"russia unknown",
"as16276",
"france unknown",
"encrypt",
"next",
"tsara brashears",
"targeting",
"cyber threat",
"abuse",
"malware spreading",
"hallgrand",
"tulach",
"sabey data centers",
"sav.com",
"outbreak",
"location united",
"asn as63949",
"whois registrar",
"related tags",
"interfacing",
"malicious",
"retaliation",
"botnet",
"porn",
"teen porn",
"illegal activities",
"theft",
"side3studios"
],
"references": [
"http://mobilesmafia.com/applications/botnet.ex",
"Found in: https://Side3.com/",
"CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244",
"https://otx.alienvault.com/indicator/domain/findmy-apple.support",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]",
"nr-data.net [Apple Private Data Collection]",
"WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?",
"/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=",
"http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]",
"pornhub.org",
"ww12.indianpornxxxtube.com",
"youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:Inject-BCL\\ [Trj]",
"display_name": "Win32:Inject-BCL\\ [Trj]",
"target": null
},
{
"id": "#Lowfi:SuspiciousSectionName",
"display_name": "#Lowfi:SuspiciousSectionName",
"target": null
},
{
"id": "Win32:Evo-gen\\ [Trj]",
"display_name": "Win32:Evo-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Mbrlock-9779766-0",
"display_name": "Win.Trojan.Mbrlock-9779766-0",
"target": null
},
{
"id": "Win.Trojan.Agent-828507",
"display_name": "Win.Trojan.Agent-828507",
"target": null
},
{
"id": "SHeur4.CEOO",
"display_name": "SHeur4.CEOO",
"target": null
},
{
"id": "Win32/Cryptor",
"display_name": "Win32/Cryptor",
"target": null
},
{
"id": "Win32/Tanatos.A",
"display_name": "Win32/Tanatos.A",
"target": null
},
{
"id": "W32.Sality-73",
"display_name": "W32.Sality-73",
"target": null
},
{
"id": "Generic_r.BYW",
"display_name": "Generic_r.BYW",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Trojan:Win32/RemcosRAT",
"display_name": "Trojan:Win32/RemcosRAT",
"target": "/malware/Trojan:Win32/RemcosRAT"
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [
"Entertainment",
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 71387,
"domain": 8768,
"hostname": 17727,
"email": 16,
"FileHash-MD5": 195,
"FileHash-SHA1": 168,
"FileHash-SHA256": 15313,
"CVE": 9,
"CIDR": 7
},
"indicator_count": 113590,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "770 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a9b4296442cc8db50a264f",
"name": "Maui Ransomware ",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-18T23:28:41.569000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653977171f690fb9ab978bf3",
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "792 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a9b87d2d435bdad9ce80a3",
"name": "Racoon Stealer ",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-18T23:47:09.818000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65a9b4296442cc8db50a264f",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "792 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65aab8eb55243c504a2cb4c0",
"name": "Maui Ransomware",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-19T18:01:15.365000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65a9b4296442cc8db50a264f",
"export_count": 44,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "792 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65afcb842689eb776c0737e5",
"name": "Maui Ransomware",
"description": "",
"modified": "2024-02-17T23:00:21.788000",
"created": "2024-01-23T14:21:56.725000",
"tags": [
"first",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"info",
"namecheap",
"server",
"registrar abuse",
"code",
"namecheap inc",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"win32 exe",
"win32 dll",
"type name",
"user",
"dns replication",
"description",
"utc submissions",
"submitters",
"cloudflarenet",
"summary iocs",
"community https",
"urls",
"amazonaes",
"china telecom",
"sector",
"export",
"cloud",
"mb opera",
"mb iesettings",
"kb acrotray",
"installer",
"samplepath",
"ssl certificate",
"whois record",
"tsara brashears",
"apple ios",
"p2404",
"malware",
"apple",
"password",
"critical risk",
"password bypass",
"core",
"hacktool",
"metro",
"download",
"critical",
"copy",
"relic",
"monitoring",
"emotet",
"tulach",
"tulach.cc",
"united",
"heur",
"team",
"firehol",
"malware site",
"cyber threat",
"malicious site",
"phishing",
"phishing site",
"malicious",
"downer",
"artemis",
"dnspionage",
"kuaizip",
"fusioncore",
"softcnapp",
"downloader",
"trojan",
"zbot",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"maltiverse",
"phishtank",
"bank",
"unsafe",
"riskware",
"alexa",
"service",
"facebook",
"presenoker",
"agent",
"stealer",
"phish",
"union",
"azorult",
"runescape",
"generic",
"crack",
"dapato",
"iframe",
"downldr",
"vidar",
"raccoon",
"remcos",
"miner",
"agenttesla",
"unknown",
"detplock",
"networm",
"win64",
"trickbot",
"telecom",
"media",
"webtoolbar",
"trojanspy",
"no data",
"tag count",
"tld count",
"ip summary",
"url summary",
"summary",
"detection list",
"blacklist https",
"pattern match",
"samuel tulach",
"file",
"localappdata",
"ascii text",
"title",
"windows",
"hyperv",
"span",
"mitre att",
"meta",
"path",
"light",
"dark",
"vmprotect",
"main",
"footer",
"body",
"class",
"hybrid",
"accept",
"local",
"click",
"strings",
"error",
"script",
"form",
"root ca",
"textarea",
"github",
"input",
"trust",
"general",
"june",
"threat roundup",
"july",
"whois whois",
"collection",
"august",
"lolkek",
"ransomware",
"ursnif",
"lockbit",
"chaos",
"quasar",
"april",
"quasar rat",
"dark power",
"swisyn",
"wiper",
"cobalt strike",
"attack",
"bitrat",
"formbook",
"qakbot",
"ransomexx",
"gootloader",
"maui ransomware",
"Cobalt Strike",
"physical threat",
"target",
"contacted circa 10.23.2023-"
],
"references": [
"tulach.cc [Adversarial Malware Attack Source]",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"init-p01st.push.apple.com",
"newrelic.se [Apple Collection]",
"apple-dns.net. [Apple email collection]",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"nr-data.net [ Hidden private Apple data collection]",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://pin.it/ [SQLi Dumper]",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"msftconnecttest.com",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"104.200.22.130 Command and Control",
"aig.com",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"103.224.212.34 scanning_host",
"0-1.duckdns.org [malicious]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Tsara Brashears",
"display_name": "Tsara Brashears",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Daisy Coleman",
"display_name": "Daisy Coleman",
"target": null
},
{
"id": "Twitter Malware",
"display_name": "Twitter Malware",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "CVE JAR",
"display_name": "CVE JAR",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "TrickBot - S0266",
"display_name": "TrickBot - S0266",
"target": null
},
{
"id": "Death Bitches",
"display_name": "Death Bitches",
"target": null
},
{
"id": "Bit RAT",
"display_name": "Bit RAT",
"target": null
},
{
"id": "Swisyn",
"display_name": "Swisyn",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Fusioncore",
"display_name": "Fusioncore",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Maui Ransomware",
"display_name": "Maui Ransomware",
"target": null
},
{
"id": "Chaos",
"display_name": "Chaos",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "GootLoader",
"display_name": "GootLoader",
"target": null
},
{
"id": "Raccoon",
"display_name": "Raccoon",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "Apple Malware",
"display_name": "Apple Malware",
"target": null
},
{
"id": "FonePaw",
"display_name": "FonePaw",
"target": null
},
{
"id": "Amazon AES",
"display_name": "Amazon AES",
"target": null
},
{
"id": "Facebook HT",
"display_name": "Facebook HT",
"target": null
},
{
"id": "Ransomexx",
"display_name": "Ransomexx",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "Vidar",
"display_name": "Vidar",
"target": null
},
{
"id": "Agent Tesla - S0331",
"display_name": "Agent Tesla - S0331",
"target": null
},
{
"id": "Networm",
"display_name": "Networm",
"target": null
},
{
"id": "Dapato",
"display_name": "Dapato",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "DNSpionage",
"display_name": "DNSpionage",
"target": null
},
{
"id": "Trojan:Win32/Detplock",
"display_name": "Trojan:Win32/Detplock",
"target": "/malware/Trojan:Win32/Detplock"
},
{
"id": "Remcos",
"display_name": "Remcos",
"target": null
},
{
"id": "PwndLocker",
"display_name": "PwndLocker",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1583.002",
"name": "DNS Server",
"display_name": "T1583.002 - DNS Server"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65aab8eb55243c504a2cb4c0",
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 641,
"domain": 2470,
"FileHash-MD5": 656,
"FileHash-SHA256": 8634,
"hostname": 2629,
"email": 4,
"URL": 5605,
"CVE": 12
},
"indicator_count": 20651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "792 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659b4cea3e6da3a00306ae11",
"name": "Ragnar Locker | Cowrie Hash",
"description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.",
"modified": "2024-02-06T23:04:54.022000",
"created": "2024-01-08T01:16:26.884000",
"tags": [
"contacted",
"pe resource",
"execution",
"problems",
"alienvault part",
"dropped",
"kgs0",
"kls0",
"collections",
"schema abuse",
"iframe",
"united",
"as29791",
"search",
"entries",
"passive dns",
"urls",
"service",
"date",
"unknown",
"japan unknown",
"body",
"czechia unknown",
"sinkhole",
"emotet",
"date hash",
"avast avg",
"mtb dec",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"samples",
"tulach",
"tulach.cc",
"sabey data center",
"malware server",
"gorf",
"set cookie",
"united kingdom",
"script urls",
"trojan",
"status",
"showing",
"cookie",
"template",
"johnnsabey",
"briansabey",
"data center",
"choco",
"name",
"win32 exe",
"domains",
"registrar",
"markmonitor inc",
"ip detections",
"country",
"us execution",
"parents",
"whois record",
"whois whois",
"ssl certificate",
"apple ios",
"red team",
"tsara brashears",
"historical ssl",
"hacktool",
"copy",
"malicious",
"life",
"unsafe",
"server",
"registrar abuse",
"contact phone",
"domain status",
"registrar whois",
"email",
"registry domain",
"registry expiry",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"ec oid",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"info",
"first",
"http method",
"http requests",
"connect http",
"get dns",
"resolutions",
"ip traffic",
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"show",
"free",
"recon",
"benjamin",
"write",
"worm",
"win32",
"june",
"delphi",
"code",
"malware",
"next",
"using",
"urls http",
"benjamin",
"nids",
"cowrie hashes",
"dns replication",
"files",
"sample",
"sender",
"us postal",
"cowrie",
"iranian actor",
"shipping",
"healthcare",
"ragnar locker",
"qakbot",
"qbot",
"pii",
"phi",
"privacy",
"honeypot",
"referrer",
"spyware",
"android",
"nanocore",
"banker",
"keylogger"
],
"references": [
"choco.exe",
"media-router-fp74.prod.media.vip.bf1.yahoo.com",
"https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true",
"httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/",
"http://security.didici.cc/cve",
"https://whois.domaintools.com/gov1.info",
"https://nsa.gov1.info/utah-data-center/",
"https://github.com/cowrie/cowrie",
"Cowrie (honeypot) - Wikipedia",
"https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware"
],
"public": 1,
"adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "ALF:Win32/GbdInf_123DF591.J!ibt",
"display_name": "ALF:Win32/GbdInf_123DF591.J!ibt",
"target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt"
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_ade36583!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt",
"target": null
},
{
"id": "ALF:Ransom:Win32/Babax.SG!MTB",
"display_name": "ALF:Ransom:Win32/Babax.SG!MTB",
"target": null
},
{
"id": "ALF:SpikeAexR.SECTHDR",
"display_name": "ALF:SpikeAexR.SECTHDR",
"target": null
},
{
"id": "ALF:Trojan:MSIL/AgentTesla.KM",
"display_name": "ALF:Trojan:MSIL/AgentTesla.KM",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt",
"target": null
},
{
"id": "ALF:HeraklezEval:Ransom:MSIL/Gorf",
"display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf",
"target": null
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "Ragnar Locker",
"display_name": "Ragnar Locker",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Trojan",
"display_name": "Trojan",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
},
{
"id": "NanCore RAY",
"display_name": "NanCore RAY",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [
"Healthcare",
"Insurance"
],
"TLP": "white",
"cloned_from": null,
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 347,
"FileHash-SHA1": 222,
"FileHash-SHA256": 6645,
"hostname": 2744,
"URL": 9123,
"domain": 3065,
"email": 4
},
"indicator_count": 22150,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "803 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a48ab7cd0bd218b17ccf6c",
"name": "Botnet Command and Control Server | Malware",
"description": "",
"modified": "2024-02-06T20:02:52.205000",
"created": "2024-01-15T01:30:31.655000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"status code",
"body",
"httponly",
"ssl certificate",
"historical ssl",
"whois record",
"parent referrer",
"whois whois",
"communicating",
"contacted",
"contacted urls",
"bundled",
"pe resource",
"dropped",
"army",
"machinename",
"execution",
"referrer",
"malware distribution site",
"phishing dropbox",
"evasive",
"banker",
"dde",
"dridex",
"exploit",
"dyre",
"dyreza",
"ransomware",
"mydoom",
"backdoor",
"svg",
"phising",
"locky",
"e-mail provider phishing",
"spear phishing",
"retefe",
"defacement",
"phishing development bank of singapore",
"banjori",
"suppobox",
"zeus",
"pony",
"solar",
"ransomware locky distribution site",
"nymaim",
"shade",
"troldesh",
"tvrat",
"zbot",
"elocky",
"wisdomeyes",
"kryptic",
"sinkhole",
"exploit",
"worm",
"backdoor",
"injector",
"botnet command and control server",
"unknown",
"domain",
"creation date",
"search",
"date",
"hostname",
"next",
"all search",
"otx octoseek",
"united",
"as13335",
"ipv4",
"pulse submit",
"url analysis",
"iocs",
"ioc search",
"new ioc",
"teams api",
"contact",
"files",
"nxdomain",
"win32",
"meta",
"wabot",
"gmt contenttype",
"dnssec",
"name",
"win32 exe",
"detections file",
"file size",
"kb file",
"domains",
"registrar",
"markmonitor inc",
"status",
"susp",
"expiration date",
"name servers",
"domain related",
"entries",
"johnnsabey",
"m. brian sabey",
"mark sabey",
"sabey data center",
"utah",
"http method",
"http requests",
"connect http",
"get dns",
"resolutions",
"ip traffic",
"problems",
"alienvault part",
"kgs0",
"kls0",
"schema abuse",
"sneaky server",
"iframe",
"apple",
"data collection"
],
"references": [
"http://security.didici.cc/cve"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "virus.virlock/nabucur",
"display_name": "virus.virlock/nabucur",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Locky",
"display_name": "Locky",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
},
{
"id": "Banjori",
"display_name": "Banjori",
"target": null
},
{
"id": "Trojan.AvsEtecer",
"display_name": "Trojan.AvsEtecer",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "Solar",
"display_name": "Solar",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "TV RAT",
"display_name": "TV RAT",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Dyre",
"display_name": "Dyre",
"target": null
},
{
"id": "ELocky",
"display_name": "ELocky",
"target": null
},
{
"id": "Dridex",
"display_name": "Dridex",
"target": null
},
{
"id": "Locky (Decryptor)",
"display_name": "Locky (Decryptor)",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "Gen:Variant.Strictor",
"display_name": "Gen:Variant.Strictor",
"target": null
},
{
"id": "Adware.BrowseFox",
"display_name": "Adware.BrowseFox",
"target": null
},
{
"id": "W32.eHeur",
"display_name": "W32.eHeur",
"target": null
},
{
"id": "MSIL_Kryptik.P.gen",
"display_name": "MSIL_Kryptik.P.gen",
"target": null
},
{
"id": "pykspa_v2_fake",
"display_name": "pykspa_v2_fake",
"target": null
},
{
"id": "Worm:Win32/Pykspa",
"display_name": "Worm:Win32/Pykspa",
"target": "/malware/Worm:Win32/Pykspa"
},
{
"id": "Pykspa",
"display_name": "Pykspa",
"target": null
},
{
"id": "TEL:Exploit:Win32/Sinkers",
"display_name": "TEL:Exploit:Win32/Sinkers",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
}
],
"attack_ids": [
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1594",
"name": "Search Victim-Owned Websites",
"display_name": "T1594 - Search Victim-Owned Websites"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "659b0fd1ac7cb4d83834db1f",
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 231,
"FileHash-SHA256": 3121,
"URL": 4225,
"domain": 1725,
"hostname": 1416,
"FileHash-SHA1": 225,
"CVE": 2,
"email": 3
},
"indicator_count": 10948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "803 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659b0fd1ac7cb4d83834db1f",
"name": "Botnet Command and Control Server | Malware Distribution Site",
"description": "",
"modified": "2024-02-06T20:02:52.205000",
"created": "2024-01-07T20:55:45.006000",
"tags": [
"passive dns",
"urls",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"status code",
"body",
"httponly",
"ssl certificate",
"historical ssl",
"whois record",
"parent referrer",
"whois whois",
"communicating",
"contacted",
"contacted urls",
"bundled",
"pe resource",
"dropped",
"army",
"machinename",
"execution",
"referrer",
"malware distribution site",
"phishing dropbox",
"evasive",
"banker",
"dde",
"dridex",
"exploit",
"dyre",
"dyreza",
"ransomware",
"mydoom",
"backdoor",
"svg",
"phising",
"locky",
"e-mail provider phishing",
"spear phishing",
"retefe",
"defacement",
"phishing development bank of singapore",
"banjori",
"suppobox",
"zeus",
"pony",
"solar",
"ransomware locky distribution site",
"nymaim",
"shade",
"troldesh",
"tvrat",
"zbot",
"elocky",
"wisdomeyes",
"kryptic",
"sinkhole",
"exploit",
"worm",
"backdoor",
"injector",
"botnet command and control server",
"unknown",
"domain",
"creation date",
"search",
"date",
"hostname",
"next",
"all search",
"otx octoseek",
"united",
"as13335",
"ipv4",
"pulse submit",
"url analysis",
"iocs",
"ioc search",
"new ioc",
"teams api",
"contact",
"files",
"nxdomain",
"win32",
"meta",
"wabot",
"gmt contenttype",
"dnssec",
"name",
"win32 exe",
"detections file",
"file size",
"kb file",
"domains",
"registrar",
"markmonitor inc",
"status",
"susp",
"expiration date",
"name servers",
"domain related",
"entries",
"johnnsabey",
"m. brian sabey",
"mark sabey",
"sabey data center",
"utah",
"http method",
"http requests",
"connect http",
"get dns",
"resolutions",
"ip traffic",
"problems",
"alienvault part",
"kgs0",
"kls0",
"schema abuse",
"sneaky server",
"iframe",
"apple",
"data collection"
],
"references": [
"http://security.didici.cc/cve"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "virus.virlock/nabucur",
"display_name": "virus.virlock/nabucur",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "Locky",
"display_name": "Locky",
"target": null
},
{
"id": "Defacement",
"display_name": "Defacement",
"target": null
},
{
"id": "Banjori",
"display_name": "Banjori",
"target": null
},
{
"id": "Trojan.AvsEtecer",
"display_name": "Trojan.AvsEtecer",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "Solar",
"display_name": "Solar",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "TV RAT",
"display_name": "TV RAT",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Dyre",
"display_name": "Dyre",
"target": null
},
{
"id": "ELocky",
"display_name": "ELocky",
"target": null
},
{
"id": "Dridex",
"display_name": "Dridex",
"target": null
},
{
"id": "Locky (Decryptor)",
"display_name": "Locky (Decryptor)",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Trojan.WisdomEyes.16070401.9500",
"display_name": "Trojan.WisdomEyes.16070401.9500",
"target": null
},
{
"id": "Gen:Variant.Strictor",
"display_name": "Gen:Variant.Strictor",
"target": null
},
{
"id": "Adware.BrowseFox",
"display_name": "Adware.BrowseFox",
"target": null
},
{
"id": "W32.eHeur",
"display_name": "W32.eHeur",
"target": null
},
{
"id": "MSIL_Kryptik.P.gen",
"display_name": "MSIL_Kryptik.P.gen",
"target": null
},
{
"id": "pykspa_v2_fake",
"display_name": "pykspa_v2_fake",
"target": null
},
{
"id": "Worm:Win32/Pykspa",
"display_name": "Worm:Win32/Pykspa",
"target": "/malware/Worm:Win32/Pykspa"
},
{
"id": "Pykspa",
"display_name": "Pykspa",
"target": null
},
{
"id": "TEL:Exploit:Win32/Sinkers",
"display_name": "TEL:Exploit:Win32/Sinkers",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
}
],
"attack_ids": [
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1594",
"name": "Search Victim-Owned Websites",
"display_name": "T1594 - Search Victim-Owned Websites"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 231,
"FileHash-SHA256": 3121,
"URL": 4225,
"domain": 1725,
"hostname": 1416,
"FileHash-SHA1": 225,
"CVE": 2,
"email": 3
},
"indicator_count": 10948,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "803 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658449d3f6ec1af2f3aace46",
"name": "Qakbot | Reddit",
"description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.",
"modified": "2024-01-20T02:02:19.559000",
"created": "2023-12-21T14:21:07.435000",
"tags": [
"ssl certificate",
"iocs",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"threat",
"paste",
"blacklist https",
"qakbot",
"site",
"cisco umbrella",
"alexa top",
"million",
"ascii text",
"pattern match",
"file",
"windows nt",
"appdata",
"indicator",
"crlf line",
"unicode text",
"jpeg image",
"mitre att",
"hybrid",
"general",
"local",
"error",
"click",
"strings",
"microsoft",
"threat analyzer",
"urls https",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"heur",
"malware site",
"malicious site",
"safe site",
"malware",
"html",
"phishing site",
"site top",
"riskware",
"unsafe",
"artemis",
"quasar rat",
"downldr",
"agent",
"presenoker",
"applicunwnt",
"crack",
"cve201711882",
"win64",
"iframe",
"quasar",
"trojanspy",
"exit",
"node tcp",
"tor known",
"tor relayrouter",
"traffic",
"anonymizer",
"brasil",
"phishing three",
"united",
"phishing bank",
"virustotal",
"tech",
"bank",
"maltiverse",
"hidelink",
"samples",
"spyware",
"injector",
"mon jan",
"tld count",
"wed dec",
"download",
"first",
"team",
"simda",
"bambernek",
"simda simda",
"infy",
"alexa",
"gregory",
"cyber threat",
"phishing",
"engineering",
"covid19",
"telefonica co",
"malicious",
"zbot",
"zeus",
"betabot",
"suppobox",
"citadel",
"pony",
"kraken",
"redline stealer",
"ransomware",
"vawtrak",
"athena",
"neutrino",
"alina",
"andromeda",
"dexter",
"unknown",
"keylogger",
"hawkeye",
"phase",
"jackpos",
"plasma",
"spyeye",
"spitmo",
"slingshot",
"ramnit",
"emotet",
"pykspa",
"virut",
"installcore",
"dorkbot",
"bondat",
"union",
"vskimmer",
"xtrat",
"solar",
"grandcrab",
"nymaim",
"matsnu",
"cutwail",
"cobalt strike",
"hydra",
"tinba",
"nsis",
"memscan",
"deepscan",
"runescape",
"backdoor",
"reddit",
"tulach",
"password stealer",
"active threat",
"apple",
"pinkslipbot",
"icloud",
"free",
"apple"
],
"references": [
"https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]",
"https://tulach.cc/ [Botnet phishing]",
"https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293",
"https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community",
"198.54.115.46 [exploit_source]",
"gadyniw.com [command_and_control]",
"gahyqah.com [command_and_control]",
"galyqaz.com [command_and_control]",
"lyvyxor.com [command_and_control]",
"puzylyp.com [command_and_control]",
"malicious.high.ml [dropper]",
"https://www.reddit.com/user [honeypot]",
"beacons.bcp.gvt.com [tracking]",
"https://www.norad.mil/ [tracking]",
"www.norad.mil [tracking]",
"www.apple.com [API property call]",
"https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]",
"yesporn.fun",
"http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]",
"114.114.114.114 [Tulach | Virus Network IP]"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "Quasar",
"display_name": "Quasar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "HideLink",
"display_name": "HideLink",
"target": null
},
{
"id": "Gregory",
"display_name": "Gregory",
"target": null
},
{
"id": "Cutwail",
"display_name": "Cutwail",
"target": null
},
{
"id": "Matsnu",
"display_name": "Matsnu",
"target": null
},
{
"id": "Vawtrak",
"display_name": "Vawtrak",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "vSkimmer",
"display_name": "vSkimmer",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "Pykspa",
"display_name": "Pykspa",
"target": null
},
{
"id": "SpyEye",
"display_name": "SpyEye",
"target": null
},
{
"id": "Spitmo",
"display_name": "Spitmo",
"target": null
},
{
"id": "Solar",
"display_name": "Solar",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "DorkBot",
"display_name": "DorkBot",
"target": null
},
{
"id": "Slingshot",
"display_name": "Slingshot",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "Plasma RAT",
"display_name": "Plasma RAT",
"target": null
},
{
"id": "Neutrino",
"display_name": "Neutrino",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "NSIS",
"display_name": "NSIS",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "GrandCrab",
"display_name": "GrandCrab",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Alinaos",
"display_name": "Alinaos",
"target": null
},
{
"id": "HawkEye",
"display_name": "HawkEye",
"target": null
},
{
"id": "Kraken",
"display_name": "Kraken",
"target": null
},
{
"id": "Infy",
"display_name": "Infy",
"target": null
},
{
"id": "Dexter",
"display_name": "Dexter",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "ASCII",
"display_name": "ASCII",
"target": null
},
{
"id": "Athena",
"display_name": "Athena",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "BetaBot",
"display_name": "BetaBot",
"target": null
},
{
"id": "COVID19",
"display_name": "COVID19",
"target": null
},
{
"id": "Citadel",
"display_name": "Citadel",
"target": null
},
{
"id": "Bondat",
"display_name": "Bondat",
"target": null
},
{
"id": "HideLink",
"display_name": "HideLink",
"target": null
},
{
"id": "Hydra",
"display_name": "Hydra",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Pinkslipbot",
"display_name": "Pinkslipbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 124,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8736,
"FileHash-MD5": 953,
"FileHash-SHA1": 489,
"FileHash-SHA256": 3566,
"domain": 1516,
"hostname": 2221,
"CVE": 6
},
"indicator_count": 17487,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6583e3acc7f464d48a3503d1",
"name": "Qkbot | Reddit",
"description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.",
"modified": "2024-01-20T02:02:19.559000",
"created": "2023-12-21T07:05:16.695000",
"tags": [
"ssl certificate",
"iocs",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"threat",
"paste",
"blacklist https",
"qakbot",
"site",
"cisco umbrella",
"alexa top",
"million",
"ascii text",
"pattern match",
"file",
"windows nt",
"appdata",
"indicator",
"crlf line",
"unicode text",
"jpeg image",
"mitre att",
"hybrid",
"general",
"local",
"error",
"click",
"strings",
"microsoft",
"threat analyzer",
"urls https",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"heur",
"malware site",
"malicious site",
"safe site",
"malware",
"html",
"phishing site",
"site top",
"riskware",
"unsafe",
"artemis",
"quasar rat",
"downldr",
"agent",
"presenoker",
"applicunwnt",
"crack",
"cve201711882",
"win64",
"iframe",
"quasar",
"trojanspy",
"exit",
"node tcp",
"tor known",
"tor relayrouter",
"traffic",
"anonymizer",
"brasil",
"phishing three",
"united",
"phishing bank",
"virustotal",
"tech",
"bank",
"maltiverse",
"hidelink",
"samples",
"spyware",
"injector",
"mon jan",
"tld count",
"wed dec",
"download",
"first",
"team",
"simda",
"bambernek",
"simda simda",
"infy",
"alexa",
"gregory",
"cyber threat",
"phishing",
"engineering",
"covid19",
"telefonica co",
"malicious",
"zbot",
"zeus",
"betabot",
"suppobox",
"citadel",
"pony",
"kraken",
"redline stealer",
"ransomware",
"vawtrak",
"athena",
"neutrino",
"alina",
"andromeda",
"dexter",
"unknown",
"keylogger",
"hawkeye",
"phase",
"jackpos",
"plasma",
"spyeye",
"spitmo",
"slingshot",
"ramnit",
"emotet",
"pykspa",
"virut",
"installcore",
"dorkbot",
"bondat",
"union",
"vskimmer",
"xtrat",
"solar",
"grandcrab",
"nymaim",
"matsnu",
"cutwail",
"cobalt strike",
"hydra",
"tinba",
"nsis",
"memscan",
"deepscan",
"runescape",
"backdoor",
"reddit",
"tulach"
],
"references": [
"https://seedbeej.pk/tin/index.php?QBOT.zip",
"https://tulach.cc/ [phishing, exploits, malware spreader]",
"https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293",
"https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community",
"198.54.115.46 [exploit_source]",
"gadyniw.com [command_and_control]",
"gahyqah.com [command_and_control]",
"galyqaz.com [command_and_control]",
"lyvyxor.com [command_and_control]",
"puzylyp.com [command_and_control]",
"malicious.high.ml [dropper]",
"https://www.reddit.com/user"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "Quasar",
"display_name": "Quasar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "HideLink",
"display_name": "HideLink",
"target": null
},
{
"id": "Gregory",
"display_name": "Gregory",
"target": null
},
{
"id": "Cutwail",
"display_name": "Cutwail",
"target": null
},
{
"id": "Matsnu",
"display_name": "Matsnu",
"target": null
},
{
"id": "Vawtrak",
"display_name": "Vawtrak",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "vSkimmer",
"display_name": "vSkimmer",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "Pykspa",
"display_name": "Pykspa",
"target": null
},
{
"id": "SpyEye",
"display_name": "SpyEye",
"target": null
},
{
"id": "Spitmo",
"display_name": "Spitmo",
"target": null
},
{
"id": "Solar",
"display_name": "Solar",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "DorkBot",
"display_name": "DorkBot",
"target": null
},
{
"id": "Slingshot",
"display_name": "Slingshot",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "Plasma RAT",
"display_name": "Plasma RAT",
"target": null
},
{
"id": "Neutrino",
"display_name": "Neutrino",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "NSIS",
"display_name": "NSIS",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "GrandCrab",
"display_name": "GrandCrab",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Alinaos",
"display_name": "Alinaos",
"target": null
},
{
"id": "HawkEye",
"display_name": "HawkEye",
"target": null
},
{
"id": "Kraken",
"display_name": "Kraken",
"target": null
},
{
"id": "Infy",
"display_name": "Infy",
"target": null
},
{
"id": "Dexter",
"display_name": "Dexter",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "ASCII",
"display_name": "ASCII",
"target": null
},
{
"id": "Athena",
"display_name": "Athena",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "BetaBot",
"display_name": "BetaBot",
"target": null
},
{
"id": "COVID19",
"display_name": "COVID19",
"target": null
},
{
"id": "Citadel",
"display_name": "Citadel",
"target": null
},
{
"id": "Bondat",
"display_name": "Bondat",
"target": null
},
{
"id": "HideLink",
"display_name": "HideLink",
"target": null
},
{
"id": "Hydra",
"display_name": "Hydra",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 101,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8343,
"FileHash-MD5": 953,
"FileHash-SHA1": 489,
"FileHash-SHA256": 3565,
"domain": 1494,
"hostname": 2218,
"CVE": 6
},
"indicator_count": 17068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6583e3a2d1432cbf9054d26d",
"name": "Qkbot | Reddit",
"description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.",
"modified": "2024-01-20T02:02:19.559000",
"created": "2023-12-21T07:05:06.936000",
"tags": [
"ssl certificate",
"iocs",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"threat",
"paste",
"blacklist https",
"qakbot",
"site",
"cisco umbrella",
"alexa top",
"million",
"ascii text",
"pattern match",
"file",
"windows nt",
"appdata",
"indicator",
"crlf line",
"unicode text",
"jpeg image",
"mitre att",
"hybrid",
"general",
"local",
"error",
"click",
"strings",
"microsoft",
"threat analyzer",
"urls https",
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"heur",
"malware site",
"malicious site",
"safe site",
"malware",
"html",
"phishing site",
"site top",
"riskware",
"unsafe",
"artemis",
"quasar rat",
"downldr",
"agent",
"presenoker",
"applicunwnt",
"crack",
"cve201711882",
"win64",
"iframe",
"quasar",
"trojanspy",
"exit",
"node tcp",
"tor known",
"tor relayrouter",
"traffic",
"anonymizer",
"brasil",
"phishing three",
"united",
"phishing bank",
"virustotal",
"tech",
"bank",
"maltiverse",
"hidelink",
"samples",
"spyware",
"injector",
"mon jan",
"tld count",
"wed dec",
"download",
"first",
"team",
"simda",
"bambernek",
"simda simda",
"infy",
"alexa",
"gregory",
"cyber threat",
"phishing",
"engineering",
"covid19",
"telefonica co",
"malicious",
"zbot",
"zeus",
"betabot",
"suppobox",
"citadel",
"pony",
"kraken",
"redline stealer",
"ransomware",
"vawtrak",
"athena",
"neutrino",
"alina",
"andromeda",
"dexter",
"unknown",
"keylogger",
"hawkeye",
"phase",
"jackpos",
"plasma",
"spyeye",
"spitmo",
"slingshot",
"ramnit",
"emotet",
"pykspa",
"virut",
"installcore",
"dorkbot",
"bondat",
"union",
"vskimmer",
"xtrat",
"solar",
"grandcrab",
"nymaim",
"matsnu",
"cutwail",
"cobalt strike",
"hydra",
"tinba",
"nsis",
"memscan",
"deepscan",
"runescape",
"backdoor",
"reddit",
"tulach"
],
"references": [
"https://seedbeej.pk/tin/index.php?QBOT.zip",
"https://tulach.cc/ [phishing, exploits, malware spreader]",
"https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293",
"https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community",
"198.54.115.46 [exploit_source]",
"gadyniw.com [command_and_control]",
"gahyqah.com [command_and_control]",
"galyqaz.com [command_and_control]",
"lyvyxor.com [command_and_control]",
"puzylyp.com [command_and_control]",
"malicious.high.ml [dropper]",
"https://www.reddit.com/user"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "Quasar",
"display_name": "Quasar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "HideLink",
"display_name": "HideLink",
"target": null
},
{
"id": "Gregory",
"display_name": "Gregory",
"target": null
},
{
"id": "Cutwail",
"display_name": "Cutwail",
"target": null
},
{
"id": "Matsnu",
"display_name": "Matsnu",
"target": null
},
{
"id": "Vawtrak",
"display_name": "Vawtrak",
"target": null
},
{
"id": "XRat",
"display_name": "XRat",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "vSkimmer",
"display_name": "vSkimmer",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "Pykspa",
"display_name": "Pykspa",
"target": null
},
{
"id": "SpyEye",
"display_name": "SpyEye",
"target": null
},
{
"id": "Spitmo",
"display_name": "Spitmo",
"target": null
},
{
"id": "Solar",
"display_name": "Solar",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "DorkBot",
"display_name": "DorkBot",
"target": null
},
{
"id": "Slingshot",
"display_name": "Slingshot",
"target": null
},
{
"id": "Pony",
"display_name": "Pony",
"target": null
},
{
"id": "Plasma RAT",
"display_name": "Plasma RAT",
"target": null
},
{
"id": "Neutrino",
"display_name": "Neutrino",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "NSIS",
"display_name": "NSIS",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "GrandCrab",
"display_name": "GrandCrab",
"target": null
},
{
"id": "Andromeda",
"display_name": "Andromeda",
"target": null
},
{
"id": "Alinaos",
"display_name": "Alinaos",
"target": null
},
{
"id": "HawkEye",
"display_name": "HawkEye",
"target": null
},
{
"id": "Kraken",
"display_name": "Kraken",
"target": null
},
{
"id": "Infy",
"display_name": "Infy",
"target": null
},
{
"id": "Dexter",
"display_name": "Dexter",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "ASCII",
"display_name": "ASCII",
"target": null
},
{
"id": "Athena",
"display_name": "Athena",
"target": null
},
{
"id": "Bambernek",
"display_name": "Bambernek",
"target": null
},
{
"id": "BetaBot",
"display_name": "BetaBot",
"target": null
},
{
"id": "COVID19",
"display_name": "COVID19",
"target": null
},
{
"id": "Citadel",
"display_name": "Citadel",
"target": null
},
{
"id": "Bondat",
"display_name": "Bondat",
"target": null
},
{
"id": "HideLink",
"display_name": "HideLink",
"target": null
},
{
"id": "Hydra",
"display_name": "Hydra",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 98,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8343,
"FileHash-MD5": 953,
"FileHash-SHA1": 489,
"FileHash-SHA256": 3565,
"domain": 1494,
"hostname": 2218,
"CVE": 6
},
"indicator_count": 17068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "655bd8cdff0012b85a94364f",
"name": "Raven",
"description": "Source: WITHU4EVER.com \nDeepScan , browser modifier, password cracker, C2",
"modified": "2023-12-20T21:03:27.869000",
"created": "2023-11-20T22:08:13.877000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"tsara brashears",
"referrer",
"kgs0",
"kls0",
"apple ios",
"critical risk",
"attack",
"hacktool",
"installer",
"search live",
"api blog",
"docs pricing",
"login",
"november",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"value",
"variables",
"userrecovery",
"raven",
"cookies",
"reverse dns",
"software",
"resource hash",
"general full",
"url https",
"frankfurt",
"main",
"germany",
"asn20940",
"akamaiasn1",
"windows nt",
"win64",
"khtml",
"gecko",
"europeberlin",
"aes256gcm",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"site top",
"html",
"safe site",
"site safe",
"maltiverse",
"alexa top",
"million",
"unsafe",
"malware",
"riskware",
"dropper",
"team",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"cve201711882",
"auslogics",
"deepscan",
"genpack",
"phish",
"phishing",
"bank",
"first",
"trojanclicker",
"bnr",
"webtoolbar",
"trojanspy",
"tsara brashears",
"contacted",
"sides with",
"amadey bot",
"excel",
"macros ursnif",
"sneaky server",
"replacement",
"unauthorized",
"black basta",
"devoted high",
"core",
"emotet",
"cowardly lion group",
"sabey tooth group",
"cp",
"cyber",
"diat",
"infostealer",
"password"
],
"references": [
"https://www.hybrid-analysis.com/sample/393a851d6948e2a5d0d70ce884b3e0b4b9287b5d089671cac229ed63b42f0dba",
"https://urlscan.io/result/9feaa404-2c53-480d-8571-542121740809/#indicators",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 Phishing",
"http://45.159.189.105/bot/regex \u2022 Tracking Tsara Brashears Botnetwork",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 Password Cracker",
"nr-data.net \u2022 Apple Private Data Collection",
"www.supernetforme.com \u2022 CNC",
"103.224.212.219 \u2022 CNC",
"45.159.189.105 \u2022 CNC",
"Resource: WithU4ever.com"
],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "BNR",
"display_name": "BNR",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "IceFog",
"display_name": "IceFog",
"target": null
},
{
"id": "Sabey Tooth",
"display_name": "Sabey Tooth",
"target": null
},
{
"id": "IObit",
"display_name": "IObit",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Swrort Stager",
"display_name": "Swrort Stager",
"target": null
},
{
"id": "TrojanClicker.",
"display_name": "TrojanClicker.",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "MediaMagnet",
"display_name": "MediaMagnet",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1243,
"URL": 4176,
"FileHash-MD5": 63,
"FileHash-SHA1": 24,
"FileHash-SHA256": 1386,
"domain": 518,
"CIDR": 1,
"CVE": 11,
"email": 1
},
"indicator_count": 7423,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "851 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "655bd8cfe894eabbe8ef2bc5",
"name": "Raven",
"description": "Source: WITHU4EVER.com \nDeepScan , browser modifier, password cracker, C2",
"modified": "2023-12-20T21:03:27.869000",
"created": "2023-11-20T22:08:15.066000",
"tags": [
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"tsara brashears",
"referrer",
"kgs0",
"kls0",
"apple ios",
"critical risk",
"attack",
"hacktool",
"installer",
"search live",
"api blog",
"docs pricing",
"login",
"november",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"value",
"variables",
"userrecovery",
"raven",
"cookies",
"reverse dns",
"software",
"resource hash",
"general full",
"url https",
"frankfurt",
"main",
"germany",
"asn20940",
"akamaiasn1",
"windows nt",
"win64",
"khtml",
"gecko",
"europeberlin",
"aes256gcm",
"no data",
"tag count",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"tag tag",
"blacklist http",
"cisco umbrella",
"heur",
"site",
"site top",
"html",
"safe site",
"site safe",
"maltiverse",
"alexa top",
"million",
"unsafe",
"malware",
"riskware",
"dropper",
"team",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"trojanx",
"artemis",
"installcore",
"webshell",
"exploit",
"crack",
"cve201711882",
"auslogics",
"deepscan",
"genpack",
"phish",
"phishing",
"bank",
"first",
"trojanclicker",
"bnr",
"webtoolbar",
"trojanspy",
"tsara brashears",
"contacted",
"sides with",
"amadey bot",
"excel",
"macros ursnif",
"sneaky server",
"replacement",
"unauthorized",
"black basta",
"devoted high",
"core",
"emotet",
"cowardly lion group",
"sabey tooth group",
"cp",
"cyber",
"diat",
"infostealer",
"password"
],
"references": [
"https://www.hybrid-analysis.com/sample/393a851d6948e2a5d0d70ce884b3e0b4b9287b5d089671cac229ed63b42f0dba",
"https://urlscan.io/result/9feaa404-2c53-480d-8571-542121740809/#indicators",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 Phishing",
"http://45.159.189.105/bot/regex \u2022 Tracking Tsara Brashears Botnetwork",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 Password Cracker",
"nr-data.net \u2022 Apple Private Data Collection",
"www.supernetforme.com \u2022 CNC",
"103.224.212.219 \u2022 CNC",
"45.159.189.105 \u2022 CNC",
"Resource: WithU4ever.com"
],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanClicker",
"display_name": "TrojanClicker",
"target": null
},
{
"id": "BNR",
"display_name": "BNR",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "IceFog",
"display_name": "IceFog",
"target": null
},
{
"id": "Sabey Tooth",
"display_name": "Sabey Tooth",
"target": null
},
{
"id": "IObit",
"display_name": "IObit",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Unruy",
"display_name": "Unruy",
"target": null
},
{
"id": "Swrort Stager",
"display_name": "Swrort Stager",
"target": null
},
{
"id": "TrojanClicker.",
"display_name": "TrojanClicker.",
"target": null
},
{
"id": "Sality",
"display_name": "Sality",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "InstallCore",
"display_name": "InstallCore",
"target": null
},
{
"id": "Crack",
"display_name": "Crack",
"target": null
},
{
"id": "PWS:Win32/Raven",
"display_name": "PWS:Win32/Raven",
"target": "/malware/PWS:Win32/Raven"
},
{
"id": "MediaMagnet",
"display_name": "MediaMagnet",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1243,
"URL": 4176,
"FileHash-MD5": 63,
"FileHash-SHA1": 24,
"FileHash-SHA256": 1386,
"domain": 518,
"CIDR": 1,
"CVE": 11,
"email": 1
},
"indicator_count": 7423,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "851 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708abeb0514054bd29b714",
"name": "Microsoft.com",
"description": "",
"modified": "2023-12-06T14:52:46.732000",
"created": "2023-12-06T14:52:46.732000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-SHA256": 1346,
"domain": 234,
"hostname": 572,
"URL": 947
},
"indicator_count": 3100,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708a95ab15ef813f26cbb5",
"name": "New Data Wiper",
"description": "",
"modified": "2023-12-06T14:52:05.094000",
"created": "2023-12-06T14:52:05.094000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 151,
"domain": 34,
"URL": 363,
"hostname": 213,
"FileHash-MD5": 9,
"FileHash-SHA1": 4
},
"indicator_count": 774,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657089a117363fdfb72ab1d2",
"name": "Win.Ransomware.WannaCry-9856297-0",
"description": "",
"modified": "2023-12-06T14:48:01.384000",
"created": "2023-12-06T14:48:01.384000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 84,
"URL": 239,
"domain": 17,
"FileHash-SHA256": 405
},
"indicator_count": 745,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65707f1e93a43d75465b2913",
"name": "Load Money",
"description": "",
"modified": "2023-12-06T14:03:10.107000",
"created": "2023-12-06T14:03:10.107000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 278,
"URL": 423,
"hostname": 131,
"domain": 117
},
"indicator_count": 949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65707e5b7df6f60133e8fb50",
"name": "Jeeng / Powerbox",
"description": "",
"modified": "2023-12-06T13:59:55.129000",
"created": "2023-12-06T13:59:55.129000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 3,
"FileHash-SHA256": 9072,
"domain": 2500,
"hostname": 3584,
"URL": 13548,
"FileHash-MD5": 197,
"FileHash-SHA1": 162,
"email": 19,
"CIDR": 20,
"SSLCertFingerprint": 2,
"BitcoinAddress": 1
},
"indicator_count": 29108,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401fddb74fe1ea8506132d",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:27:57.026000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 92,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d5ee5a7359a5e815a6a",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:18.712000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d73e96dd70037ed22a7",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:39.802000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin",
"authrootstl.cab",
"ET MALWARE Playtech Downloader Online Gaming Checkin Malware",
"Andariel Backdoor Activity (Checkin)",
"http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.",
"pegasuspartners.followupboss.com",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h",
"https://pin.it/ [SQLi Dumper]",
"usw-2-dev.palantirfoundry.com \u2022 lucyw.palantirfoundry.com \u2022 https://fegdip.palantirfoundry.com/",
"ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/",
"It appears there are 5-7 known affected that I was able to find",
"https://www.biblegateway.com/passage/?search=2%20Timothy%203&version=NIV",
"Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com",
"open.spotify.com \u2022",
"ncsi-geo.trafficmanager.net =analytics.tresensa.com",
"https://www.norad.mil/ [tracking]",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv",
"Proofpoint Emerging Threats Open X Context for the matching alerts",
"http://geo.web-installer-assets.com/H",
"fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]",
"https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"198.54.115.46 [exploit_source]",
"Christopher P \u2018Buzz\u2019 Ahman | Brian Sabey | Tulach | Graham Tech",
"https://tulach.cc/ [Botnet phishing]",
"http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_",
"http://www.hybrid-analysis.com/file-collection/66fac9127c919f69780c6f51",
"http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]",
"http://www.hybrid-analysis.com/file-collection/66fac600ca930ea26b059ede",
"www.apple.com [API property call]",
"https://www.reddit.com/user",
"45.159.189.105 \u2022 CNC",
"104.200.22.130 Command and Control",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/",
"lyvyxor.com [command_and_control]",
"https://pegasus.pahamify.com/ \u2022 https://pegasus.pahamify.com/study-plan/ \u2022 pegasus.pahamify.com",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"cache.download2.casino.com",
"http://www.hybrid-analysis.com/file-collection/66fac7871e2a6e58790909fe",
"CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 Phishing",
"aptia.palantirfoundry.com \u2022 palantirfoundry.com \u2022\u2019agent-infra-mojito.palantirfoundry.com",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .",
"https://nsa.gov1.info/utah-data-center/",
"John 12:17",
"uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd458176426a",
"https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293",
"https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776477807&Signature=oSRFzpQidegADbfg0MoAaOppxJPT%2BHBOfJDD0gT3CsqzdA4Tjoyves4A8yyH%2BI2qY4aff864krjBwpMFqHLhr4ph8NiNxA9fALzN1Tp4DVT5dD%2FeWXgVIj8kxAH%2BzCGLgscgTkiLeb5E6Zv0SQy%2By%2B3ASvjo1VRj4FLsixsH6uU6QKX0UmF2IPqI5UtfPUrb76d1fddT1PAGmtP1q6YxY44QADQhIxF6Y4MB4iqEVd2ItuD0eL",
"www.norad.mil [tracking]",
"ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113",
"init-p01st.push.apple.com",
"Above Assurant link. [ Hidden privacy threats,,Transactional campaign",
"https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt",
"0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/",
"nr-data.net [ Hidden private Apple data collection]",
"Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3",
"Cowrie (honeypot) - Wikipedia",
"Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"equilibrium.palantirfoundry.com \u2022 kt-presales.palantirfoundry.com \u2022 paloma.palantirfoundry.com",
"http://www.hybrid-analysis.com/file-collection/66fac68ee418a841c80f2f92",
"http://www.hybrid-analysis.com/file-collection/66fac978202166e31d059f2e",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/community",
"www.onyx-ware.com \u2022 endgamesystems.com",
"https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=",
"media-router-fp74.prod.media.vip.bf1.yahoo.com",
"gadyniw.com [command_and_control]",
"Resource: WithU4ever.com",
"https://seedbeej.pk/tin/index.php?QBOT.zip",
"Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time...",
"beacons.bcp.gvt.com [tracking]",
"https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation]",
"http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=",
"CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection.",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]",
"https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5",
"114.114.114.114 [Tulach | Virus Network IP]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 Password Cracker",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"https://inbound-message-listener-temporary-testing.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/module/view/latest/ri.workshop.main.module.cee847ce-7689-42e8-8ca4-bd45176426a",
"CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/graph",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet",
"https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"http://www.mohurd.gov.cn.lxcvc.com/",
"Found in: https://Side3.com/",
"https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark",
"nr-data.net [Apple Private Data Collection]",
"https://www.reddit.com/user [honeypot]",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]",
"https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider",
"div>
",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/iocs",
"tulach.cc [Adversarial Malware Attack Source]",
"External Apple Connection: Notepad.pw",
"mobile.twitter.com [titled hashtag Daisy Coleman]",
"malicious.high.ml [dropper]",
"https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq",
"https://wes.palantirfoundry.com/ \u2022 http://utilities-bootcamp.palantirfoundry.com/",
"https://urlscan.io/result/9feaa404-2c53-480d-8571-542121740809/#indicators",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"https://target.tccwest.www.littleswimmers.fr/",
"Denver, US 80211 http://library.verizon.onereach.ai",
"http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit",
"galyqaz.com [command_and_control]",
"takedown-communication-api.prod-c15a-awsuse.ppops.net",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"I apologize for the lack of reference.",
"pornhub.org",
"103.224.212.34 scanning_host",
"sipphone.com",
"Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com",
"thebeautifulbet.com",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4",
"choco.exe",
"https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f",
"https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"http://www.hybrid-analysis.com/file-collection/66fac56e9086d458e6064fea",
"0-1.duckdns.org [malicious]",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"https://whois.domaintools.com/gov1.info",
"https://www.hybrid-analysis.com/sample/393a851d6948e2a5d0d70ce884b3e0b4b9287b5d089671cac229ed63b42f0dba",
"IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns",
"www.supernetforme.com \u2022 CNC",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.afa33b71-01ea-477c-bc01-f6a3ab623e9d/master",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]",
"http://mp7tf.best-cell-phone-plans-for-seniors.cfd/",
"https://urlscan.io/result/5dea4d73-564a-4a37-88ef-da841b2bb274/",
"dev.myhpnmedicaid.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]",
"WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?",
"Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx",
"config.uca.cloud.unity3d.com",
"http://www.hybrid-analysis.com/file-collection/66facaef84282adfb805d499",
"installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze",
"Command and Control Activity Detected",
"Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |",
"https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary",
"https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark",
"http://www.hybrid-analysis.com/file-collection/66fac6de4c7499ee5303356c",
"apple.com [=vaccine.com / negative http or https - insecure, malicious]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]",
"https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"http://www.hybrid-analysis.com/file-collection/66fac890b85c51f0a00bb153",
"http://www.hybrid-analysis.com/file-collection/66faca03bf2d577d0707447e",
"https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]",
"Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo",
"https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark",
"https://sfmg-testing.palantirfoundry.com\t\u2022 https://signup.palantirfoundry.com/",
"https://uhsinc.palantirfoundry.com/ \u2022 https://velocityglobal.palantirfoundry.com",
"http://45.159.189.105/bot/regex \u2022 Tracking Tsara Brashears Botnetwork",
"https://dotnet.microsoft.com/en-us/apps/aspnet",
"Yara: Detections: stack_string | ConventionEngine_Keyword_Install |",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"https://github.com/cowrie/cowrie",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"newrelic.se [Apple Collection]",
"http://dasima-containers.palantirfoundry.com/ \u2022 https://glare.palantirfoundry.com/",
"Handled by Lumen Technologies | What kind of darkness is this?",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9",
"IDS: WGET Command Specifying Output in HTTP Headers",
"Requires further research.",
"updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark",
"Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!",
"msftconnecttest.com",
"youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn",
"https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]",
"nr-data.net \u2022 Apple Private Data Collection",
"yesporn.fun",
"https://urlscan.io/api/v1/result/5dea4d73-564a-4a37-88ef-da841b2bb274/",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"https://otx.alienvault.com/indicator/domain/findmy-apple.support",
"Registrant Org: Japan Computer Emergency Response Team Coordination Center",
"https://l.us-1.a.mimecastprotect.com/l",
"http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=",
"http://www.hybrid-analysis.com/file-collection/66faca7c1e2a6e5879090c09",
"http://1.116.132.182/weblogic_CVE_2020_2551.jar",
"103.224.212.219 \u2022 CNC",
"https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"search.roi.ros.gov.uk",
"http://security.didici.cc/cve",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u",
"https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]",
"https://listeners.usw-16.palantirfoundry.com \u2022 https://pacificlife.palantirfoundry.com/",
"https://github-cloud.s3.amazonaws.com [DNS prefetch]",
"https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter",
"puzylyp.com [command_and_control]",
"ASP.net Open source. A framework for building web apps and services with .NET and C#",
"Verification failure observed in automated verification handlers during sandbox replay.",
"http://glare.palantirfoundry.com/ \u2022 https://woodward.palantirfoundry.com/",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"ww12.indianpornxxxtube.com",
"https://pegasus.pahamify.com/",
"https://tulach.cc/ [phishing, exploits, malware spreader]",
"URL: http://cache.download2.casino.com/download/casino/client",
"http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration",
"12 CVE exploits posted in 'scoreblue' CVE tally",
"apple-dns.net. [Apple email collection]",
"gahyqah.com [command_and_control]",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"Same legal , and quasi governmental pattern identified",
"IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\\\ filepath observed in HTTP header",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d",
"Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group \u00bb state-sponsored threat actor & Defense media",
"/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03",
"http://www.hybrid-analysis.com/file-collection/66fac7f30821b4aa5f0666ed",
"https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"aig.com",
"http://mobilesmafia.com/applications/botnet.ex",
"CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]",
"Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"Unnamed group",
"Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin",
"TAM Legal Christopher P. Ahmann Chief Terrorist",
"[Unnamed group]",
"El Machete, TAG-100, Mirage, Unamed_Grooup"
],
"malware_families": [
"Hawkeye",
"Azorult",
"Vskimmer",
"Vidar",
"Pwndlocker",
"Win32:hacktoolx-gen\\ [trj]",
"Amazon aes",
"Trojan:win32/zombie.a",
"Et",
"Trojan:win32/ircbot",
"Gootloader",
"Malware",
"Locky",
"Win.sombrat",
"Apnic",
"Arin",
"Grandcrab",
"Qakbot",
"Pykspa_v2_fake",
"Nsis",
"Pony",
"Bible gateway",
"Alf:win32/gbdinf_123df591.j!ibt",
"Hacktool",
"Bnr",
"Vawtrak",
"Trojan:win32/tonmye!rfn",
"Trickbot - s0266",
"Tel:backdoor:win32/plugx",
"Alfper:pua:win32/installcore",
"Alf:spikeaexr.secthdr",
"Trojan",
"Spyeye",
"Worm:win32/benjamin",
"Qbot",
"Tulach malware",
"Raccoon",
"#lowfi:lua:autoitlargefile",
"Trojandropper:win32/muldrop.v!mtb",
"Hidelink",
"Win32/tanatos.a",
"Bondat",
"Infy",
"Gregory",
"Win32/cryptor",
"Elf:ddos-y\\ [trj]",
"Networm",
"Quasar",
"Lolkek",
"Pegasus",
"Cycbot",
"Cutwail",
"Locky (decryptor)",
"Pinkslipbot",
"Trojan.winterlove-28",
"Kryptik",
"Ransomexx",
"Maltiverse",
"Sabey",
"Trojanspy:msil/yakbeex.a",
"Trojan:win32/blihan.a",
"Trojan:win32/smkldr.h!mtb",
"Hallrender",
"Swrort stager",
"Lockbit",
"Agent tesla - s0331",
"Twitter malware",
"Adware.browsefox",
"Redline stealer",
"Tsara brashears",
"Elocky",
"Trojan:win32/tonmye",
"Ransom:win32/ako",
"Slingshot",
"Dnspionage",
"Trojan:win32/detplock",
"Trojan:win32/smokeloader",
"Cve jar",
"Crack",
"Virtool:win32/ceeinject.gf",
"Installcore",
"Nancore ray",
"Formbook",
"W32.sality-73",
"Trojan:win32/daws",
"Win.trojan.mbrlock-9779766-0",
"Alf:heraklezeval:trojan:win32/clipbanker , , alf:trojan:win32/autorun.pi!mtb , alf:trojan:win32/cassini_6d4ebdc9!ibt",
"Tv rat",
"Ransomware",
"Icefog",
"Alf:trojan:win32/cassini_ade36583!ibt",
"Unix.trojan.mirai-6981169-0",
"Elf:mirai-ati",
"Trojanspy",
"Trojan:win32/zbot.sibg!mtb",
"Maui ransomware",
"Win.malware.004bf-6866449-0",
"Matsnu",
"Nufs_unicode",
"Sheur4.ceoo",
"Trojan.avsetecer",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Artemis",
"Trojan[apt]/win32.lazarus",
"Zbot",
"Emotet",
"#virtool:win32|obfuscator.adb",
"W32.eheur",
"Bambernek",
"Dexter",
"Glooxmail",
"Hydra",
"Msil_kryptik.p.gen",
"Xrat",
"Banjori",
"Win32:inject-bcl\\ [trj]",
"Alf:trojan:win32/cassini_f28c33a2!ibt",
"Win.packed.stealerc-10017074-0",
"Sality",
"Suppobox",
"Mydoom",
"Zeus",
"Telper:hstr:clean:ninite",
"Pahamify pegasus",
"Betabot",
"Dridex",
"Andromeda",
"Citadel",
"Win.puzzlemaker",
"Win32:evo-gen\\ [trj]",
"Ascii",
"Floxif",
"Alf:heraklezeval:ransom:msil/gorf",
"Icedid",
"Athena",
"Gen:variant.strictor",
"Win.packed.generic-9967832-0",
"Dorkbot",
"Solar",
"Colbalt strike",
"Trojanclicker.",
"Quasar rat",
"Mirai",
"Generic_r.byw",
"Death bitches",
"Covid19",
"Noname057",
"Hacktool:win32/cobaltstrike.a",
"Worn:win32/autorun.xxy!bit",
"Tofsee",
"Dapato",
"Custom malware",
"Fonepaw",
"Dark power",
"Worm",
"Apple malware",
"Kraken",
"Verified",
"Berbew.aa!mtb",
"Bit rat",
"Glupteba.mt!mtb",
"Alf:trojan:msil/agenttesla.km",
"Tel:exploit:win32/sinkers",
"Alinaos",
"Win.dropper.poisonivy-9876745-0",
"Win.trojan.agent-828507",
"Sabey tooth",
"Zombie.a",
"Win.fivehands",
"Pws:win32/raven",
"Simda",
"Remcos",
"Ragnar locker",
"Dyre",
"Webtoolbar",
"Swisyn",
"Fusioncore",
"Mediamagnet",
"Mekotio",
"Neutrino",
"Ramnit",
"Anydesk",
"Daisy coleman",
"Tulach",
"Iobit",
"Virut",
"Network rat",
"Worm:win32/pykspa",
"#lowfi:lua:dllsuspiciousexport.a",
"#lowfi:suspicioussectionname",
"Unruy",
"Nymaim",
"Floxif.e",
"Alf:ransom:win32/babax.sg!mtb",
"Trojan.playtech/crossrider",
"Trojan.wisdomeyes.16070401.9500",
"Other malware",
"Facebook ht",
"Defacement",
"Hiddentear",
"Virus.virlock/nabucur",
"Pykspa",
"Plasma rat",
"Worm:win32/mofksys.rnd!mtb",
"Win.trojan.barys-10005825-0",
"Spitmo",
"Trojanclicker",
"Chaos",
"Win32:kamso",
"Trojan:win32/remcosrat",
"#lowfi:win32/autoit",
"Alf:jasyp:trojan:win32/ircbot!atmn"
],
"industries": [
"Government",
"Legal",
"Contracts",
"Telecommunications",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Media",
"Public administration",
"Technology",
"Civil society",
"Health",
"Education",
"Entertainment",
"Insurance",
"Healthcare",
"Finance",
"Telecom"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e2e5ed5d25f6949b1d752b",
"name": "CAPE Sandbox- The Unified Layer",
"description": "\"A public key has been issued by the US government to secure the signature of US President Barack Obama and US Secretary of State John Kerry, who both want to use it to send their private messages.\"",
"modified": "2026-04-18T04:07:44.254000",
"created": "2026-04-18T02:01:17.468000",
"tags": [
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cnr11",
"validity",
"subject public",
"key info",
"key algorithm",
"certificate",
"eig network",
"nethandle",
"net162",
"net1620000",
"layer",
"blueh2",
"layer orgid",
"south",
"east city",
"settings",
"first counter",
"default",
"inprocserver32",
"mbisslshort",
"bearer",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"info",
"bridge",
"accept",
"date",
"agent",
"shutdown",
"root",
"back"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/1cf39e937e336af49cc01531f7bb7be83dfa289155a8437a51026a0e7d58f82c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776477807&Signature=oSRFzpQidegADbfg0MoAaOppxJPT%2BHBOfJDD0gT3CsqzdA4Tjoyves4A8yyH%2BI2qY4aff864krjBwpMFqHLhr4ph8NiNxA9fALzN1Tp4DVT5dD%2FeWXgVIj8kxAH%2BzCGLgscgTkiLeb5E6Zv0SQy%2By%2B3ASvjo1VRj4FLsixsH6uU6QKX0UmF2IPqI5UtfPUrb76d1fddT1PAGmtP1q6YxY44QADQhIxF6Y4MB4iqEVd2ItuD0eL"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 69,
"FileHash-SHA256": 274,
"hostname": 328,
"CIDR": 1,
"URL": 229,
"email": 2,
"IPv4": 152,
"domain": 60,
"FileHash-MD5": 587,
"CVE": 1
},
"indicator_count": 1703,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2bb3f596b9a99d6eb97c3",
"name": "unnamed group SOCradar clone by fraevolquez",
"description": "",
"modified": "2026-04-12T00:05:39.579000",
"created": "2026-03-12T13:10:23.942000",
"tags": [
"indicator",
"Dominican Republic",
"SOC RADAR"
],
"references": [],
"public": 1,
"adversary": "Unnamed group",
"targeted_countries": [
"Dominican Republic"
],
"malware_families": [
{
"id": "win.sombrat",
"display_name": "win.sombrat",
"target": null
},
{
"id": "NoName057",
"display_name": "NoName057",
"target": null
},
{
"id": "Floxif",
"display_name": "Floxif",
"target": null
},
{
"id": "Colbalt Strike",
"display_name": "Colbalt Strike",
"target": null
},
{
"id": "emotet",
"display_name": "emotet",
"target": null
},
{
"id": "win.puzzlemaker",
"display_name": "win.puzzlemaker",
"target": null
},
{
"id": "Trojan:Win32/SmokeLoader",
"display_name": "Trojan:Win32/SmokeLoader",
"target": "/malware/Trojan:Win32/SmokeLoader"
},
{
"id": "Network RAT",
"display_name": "Network RAT",
"target": null
},
{
"id": "GLOOXMAIL",
"display_name": "GLOOXMAIL",
"target": null
},
{
"id": "hiddentear",
"display_name": "hiddentear",
"target": null
},
{
"id": "AnyDesk",
"display_name": "AnyDesk",
"target": null
},
{
"id": "mekotio",
"display_name": "mekotio",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Zombie.A",
"display_name": "Zombie.A",
"target": null
},
{
"id": "Verified",
"display_name": "Verified",
"target": null
},
{
"id": "Berbew.AA!MTB",
"display_name": "Berbew.AA!MTB",
"target": null
},
{
"id": "Floxif.E",
"display_name": "Floxif.E",
"target": null
},
{
"id": "win.fivehands",
"display_name": "win.fivehands",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Glupteba.MT!MTB",
"display_name": "Glupteba.MT!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1193",
"name": "Spearphishing Attachment",
"display_name": "T1193 - Spearphishing Attachment"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1038",
"name": "DLL Search Order Hijacking",
"display_name": "T1038 - DLL Search Order Hijacking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1503",
"name": "Credentials from Web Browsers",
"display_name": "T1503 - Credentials from Web Browsers"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1111",
"name": "Two-Factor Authentication Interception",
"display_name": "T1111 - Two-Factor Authentication Interception"
},
{
"id": "T1087",
"name": "Account Discovery",
"display_name": "T1087 - Account Discovery"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1534",
"name": "Internal Spearphishing",
"display_name": "T1534 - Internal Spearphishing"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1602",
"name": "Data from Configuration Repository",
"display_name": "T1602 - Data from Configuration Repository"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1493",
"name": "Transmitted Data Manipulation",
"display_name": "T1493 - Transmitted Data Manipulation"
}
],
"industries": [
"Public Administration"
],
"TLP": "white",
"cloned_from": "67733381a0cdad5d55f5166f",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 10,
"FileHash-MD5": 1148,
"FileHash-SHA1": 717,
"FileHash-SHA256": 2826,
"domain": 886,
"hostname": 1176
},
"indicator_count": 6763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6964c08bf79bcb252eaa9e15",
"name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers",
"description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
"modified": "2026-02-11T09:03:20.933000",
"created": "2026-01-12T09:36:11.701000",
"tags": [
"google",
"fastly",
"googlecl",
"january",
"http",
"domain",
"akamaias",
"cloudflar",
"page url",
"de summary",
"april",
"reverse dns",
"url https",
"general full",
"software",
"united",
"resource hash",
"protocol h3",
"security quic",
"protocol h2",
"security tls",
"main",
"present jan",
"title",
"gmt max",
"certificate",
"moved",
"lowfi",
"gmt content",
"meta",
"present dec",
"status",
"aaaa",
"passive dns",
"urls",
"search",
"expiration date",
"win32",
"files",
"verdict",
"files ip",
"address",
"mtb jan",
"trojandropper",
"backdoor",
"win32upatre jan",
"origin trial",
"gmt cache",
"443 ma2592000",
"possible",
"worm",
"trojan",
"ip address",
"record value",
"dark",
"found",
"ipv4 add",
"error",
"trojanspy",
"emails",
"servers",
"pegasus",
"america flag",
"america asn",
"tlsv1",
"read c",
"show",
"medium",
"lstockholm",
"ospotify ab",
"odigicert inc",
"execution",
"next",
"dock",
"write",
"persistence",
"dynamicloader",
"yara rule",
"ms windows",
"pe32",
"named pipe",
"smartassembly",
"delphi",
"malware",
"united states",
"pe file",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"high",
"write c",
"tls sni",
"tls handshake",
"delete",
"as15169",
"stun binding",
"request",
"port",
"win64",
"themida",
"guard",
"risepro",
"sha256",
"sha1",
"pattern match",
"ascii text",
"size",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"directui",
"element",
"hwndhost",
"classinfobase",
"hwndelement",
"value",
"explorer",
"insert",
"movie",
"hacktool",
"showing",
"entries http",
"scans show",
"california",
"location united",
"next associated",
"pulse pulses",
"name servers",
"found request",
"unique",
"url add",
"related nids",
"files location",
"expiration",
"flag united",
"present nov",
"present sep",
"href",
"suricata stream",
"command decode",
"starfield",
"encrypt",
"iframe",
"date",
"title error",
"hostname",
"pulse submit",
"memcommit",
"checks",
"windows",
"capture",
"cloudfront",
"colorado",
"creation date",
"hostname add",
"eset",
"binary file",
"pdb path",
"internalname",
"nod32",
"amon"
],
"references": [
"open.spotify.com \u2022",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"https://target.tccwest.www.littleswimmers.fr/",
"www.onyx-ware.com \u2022 endgamesystems.com",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Packed.Stealerc-10017074-0",
"display_name": "Win.Packed.Stealerc-10017074-0",
"target": null
},
{
"id": "#Lowfi:Win32/AutoIt",
"display_name": "#Lowfi:Win32/AutoIt",
"target": "/malware/#Lowfi:Win32/AutoIt"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "TrojanSpy:MSIL/Yakbeex.A",
"display_name": "TrojanSpy:MSIL/Yakbeex.A",
"target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32:HacktoolX-gen\\ [Trj]",
"display_name": "Win32:HacktoolX-gen\\ [Trj]",
"target": null
},
{
"id": "nUFS_unicode",
"display_name": "nUFS_unicode",
"target": null
},
{
"id": "HackTool:Win32/CobaltStrike.A",
"display_name": "HackTool:Win32/CobaltStrike.A",
"target": "/malware/HackTool:Win32/CobaltStrike.A"
},
{
"id": "Win.Dropper.PoisonIvy-9876745-0",
"display_name": "Win.Dropper.PoisonIvy-9876745-0",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Entertainment",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1293,
"URL": 3389,
"FileHash-MD5": 635,
"FileHash-SHA1": 531,
"FileHash-SHA256": 2345,
"domain": 501,
"email": 12,
"SSLCertFingerprint": 16
},
"indicator_count": 8722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "microsoftdata.solutions",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "microsoftdata.solutions",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776680374.484238
}