{ "type": "Domain", "indicator": "mindsharegit.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mindsharegit.com", "alexa": "http://www.alexa.com/siteinfo/mindsharegit.com", "indicator": "mindsharegit.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3084170485, "indicator": "mindsharegit.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "817 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c4f41727d49d783b766", "name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87", "description": "", "modified": "2023-12-06T14:59:27.563000", "created": "2023-12-06T14:59:27.563000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 858, "hostname": 589, "URL": 2061, "domain": 301 }, "indicator_count": 3809, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653960d6d09796c4ba4c1e90", "name": "CVE JAR Found | Massive active Malicious | unlatched issues", "description": "Monitoring Tsara Brashears - Extreme cyber attack against documented as alleged SA victim. Non-Adversarial Tsara Brashears inflicted with highly malicious Malware auto populated. Massive online attack on Tsara Brashears defaced digital profile. Attacks primarily by Adversarial Tulach malware.\nDaisy Coleman [deceased] moderate malware attack against target a documented SA survivor.\nThis is a revenge attacker. \nPhysical harm imminence [HIGH] SOS\nEdward Snowden speaks of similar attacks against American citizen. Was target warned of malware status or massive attack. Made aware of Botnet by any authority?", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T18:39:18.723000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653977171f690fb9ab978bf3", "name": "Speechless | Critical", "description": "Cyber threat. Target Tsara Brashears is now Tsara Brashears Malware. Looks like an investigation, might be a legitimate investigation. I have no insight as to whether investigation is warranted, staged, or silencing?? \nVerdict:\nAdversarial monitoring, harassment, Libel, cyber crime by a genius exploiting regulations and escalation privileges. Target at high risk.", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T20:14:14.532000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f2100b535d359accfc3a6", "name": "CVE JAR Found | Massive active Malicious | Tulach & AIG associated | Scam", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:20:32.349000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": "653960d6d09796c4ba4c1e90", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f219ce051cf01e9a6be8b", "name": "Speechless | Critical", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:23:08.790000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261635800a6b5abe58e2512", "name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87", "description": "", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T13:59:52.458000", "tags": [ "RU", "KR" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 589, "URL": 2061, "FileHash-SHA256": 858, "domain": 301 }, "indicator_count": 3809, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "Domains Contacted api.nuget.org", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d", "aig.com", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "103.224.212.34 scanning_host", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net [ Hidden private Apple data collection]", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "newrelic.se [Apple Collection]", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "https://www.anyxxxtube.net/search-porn/", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "https://pin.it/ [SQLi Dumper]", "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "https://bhive.nectar.social/rKvoMY", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "mobile.twitter.com [titled hashtag Daisy Coleman]", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "msftconnecttest.com", "init-p01st.push.apple.com", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "http://appleid.app", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "https://www.fidelity.com/ https://www.fidelity.com/", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "MyChart Phishing Scams", "apple-dns.net. [Apple email collection]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "12 CVE exploits posted in 'scoreblue' CVE tally", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "104.200.22.130 Command and Control", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "tulach.cc [Adversarial Malware Attack Source]", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "0-1.duckdns.org [malicious]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Zbot", "Daisy coleman", "Alf:heraklezeval:trojan:win32/eqtonex.f", "Azorult", "Chaos", "Trojan:pdf/phish.rr!mtb", "Lockbit", "Fonepaw", "Agent tesla - s0331", "Win32:trojanx-gen\\ [trj]", "Eternalrocks", "Maui ransomware", "Dnstrojan", "Amazon aes", "Qakbot", "Trojandropper:win32/qhost", "Trojan:win32/miner.ka!mtb", "Facebook ht", "Trojan:win32/conbea!rfn", "Ransomexx", "Pwndlocker", "Formbook", "Vidar", "Win64:trojan-gen", "Death bitches", "Trojan:win32/detplock", "Swisyn", ": alf:trojan:msil/azorult.ac!", "Alf:trojan:win32/cryptwrapper.rt!mtb", "Dark power", "Trojan:bat/musecador", "Gootloader", "Fusioncore", "Crack", "Dapato", "Trickbot - s0266", "Raccoon", "Quasar rat", "Apple malware", "Dnspionage", "Alf:heraklezeval:trojan:msil/gravityrat", "Trojanspy", "Twitter malware", "Win64-trojan/pakes.exp", "Tofsee", "Win64:ransomx-gen", "Cve jar", "Tsara brashears", "Emotet", "Remcos", "Trojan:msil/ursu.kp", "Networm", "Trojan:win32/ausiv!rfn", "Tulach malware", "Webtoolbar", "Artemis", "Lolkek", "Bit rat" ], "industries": [ "Finance", "Insurance", "Healthcare", "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "817 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c4f41727d49d783b766", "name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87", "description": "", "modified": "2023-12-06T14:59:27.563000", "created": "2023-12-06T14:59:27.563000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 858, "hostname": 589, "URL": 2061, "domain": 301 }, "indicator_count": 3809, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653960d6d09796c4ba4c1e90", "name": "CVE JAR Found | Massive active Malicious | unlatched issues", "description": "Monitoring Tsara Brashears - Extreme cyber attack against documented as alleged SA victim. Non-Adversarial Tsara Brashears inflicted with highly malicious Malware auto populated. Massive online attack on Tsara Brashears defaced digital profile. Attacks primarily by Adversarial Tulach malware.\nDaisy Coleman [deceased] moderate malware attack against target a documented SA survivor.\nThis is a revenge attacker. \nPhysical harm imminence [HIGH] SOS\nEdward Snowden speaks of similar attacks against American citizen. Was target warned of malware status or massive attack. Made aware of Botnet by any authority?", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T18:39:18.723000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653977171f690fb9ab978bf3", "name": "Speechless | Critical", "description": "Cyber threat. Target Tsara Brashears is now Tsara Brashears Malware. Looks like an investigation, might be a legitimate investigation. I have no insight as to whether investigation is warranted, staged, or silencing?? \nVerdict:\nAdversarial monitoring, harassment, Libel, cyber crime by a genius exploiting regulations and escalation privileges. Target at high risk.", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T20:14:14.532000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mindsharegit.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mindsharegit.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776630154.3555412 }