{
"type": "Domain",
"indicator": "monerpool.org",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/monerpool.org",
"alexa": "http://www.alexa.com/siteinfo/monerpool.org",
"indicator": "monerpool.org",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 2883425545,
"indicator": "monerpool.org",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 16,
"pulses": [
{
"id": "6783308fc0b6e2bd8dfb209c",
"name": "TTC-CERT_blocklist_recommended",
"description": "",
"modified": "2026-02-14T00:03:07.406000",
"created": "2025-01-12T03:01:35.075000",
"tags": [],
"references": [
"https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 606,
"URL": 4,
"domain": 25122,
"hostname": 25306
},
"indicator_count": 51038,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 185,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "682f52de68ac467c666c8ee0",
"name": "23.219.89.169 dty-274d7ae9-e5e0-48eb-80db-f8daf26a8d1b-default-prod-64333_23af6e1645db3b350058.js",
"description": "https://www.virustotal.com/gui/file/191475f518a3563c8bbe32e742cc9106c0c968e2e3b9ce12aa12b5f018cbac42/relations\nhttps://www.virustotal.com/gui/ip-address/23.219.89.169/relations",
"modified": "2025-06-21T16:02:45.537000",
"created": "2025-05-22T16:37:50.568000",
"tags": [
"trojan",
"virus",
"md5 time",
"action payload",
"type malicious",
"trojan injector",
"trojan zloader",
"adware",
"parent",
"diff",
"drop",
"trustcor",
"vhash",
"ssdeep"
],
"references": [
"https://res.public.onecdn.static.microsoft/midgard/versionless/dty-274d7ae9-e5e0-48eb-80db-f8daf26a8d1b-default-prod-64333_23af6e1645db3b350058.js",
"https://feedback.us1.glint.cloud.microsoft/chemtrade/q2/questionnaire/5b77004c-9458-414f-8b63-a10eeff2ea13",
"svc.ha-teams.office.com",
"s-0005.dual-s-msedge.net",
"mira-tmc.tm-4.office.com",
"ecs-office.s-0005.dual-s-msedge.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 63,
"FileHash-SHA256": 451,
"FileHash-MD5": 200,
"hostname": 639,
"domain": 109,
"URL": 572
},
"indicator_count": 2034,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "344 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66904c243212c659a950a425",
"name": "cryptomining",
"description": "",
"modified": "2025-06-10T03:44:09.885000",
"created": "2024-07-11T21:18:28.832000",
"tags": [],
"references": [
"https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/crypto_mining.txt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 199,
"URL": 1,
"domain": 111
},
"indicator_count": 311,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 186,
"modified_text": "355 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66eb1585832bcf4f494f0335",
"name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging",
"description": "",
"modified": "2024-10-20T13:04:44.866000",
"created": "2024-09-18T18:01:41.013000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66ca37ac60cb425a2b3856c6",
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4635,
"domain": 771,
"email": 11,
"hostname": 1993,
"FileHash-SHA256": 3185,
"FileHash-MD5": 113,
"FileHash-SHA1": 101,
"CVE": 3
},
"indicator_count": 10814,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 236,
"modified_text": "588 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c661131c5003925e9bfe15",
"name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?",
"description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-21T21:50:11.612000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c66114103f15aab3b00d6c",
"name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?",
"description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-21T21:50:12.543000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66ca37ac60cb425a2b3856c6",
"name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ",
"description": "",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-24T19:42:36.642000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66c66114103f15aab3b00d6c",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66d4b052225d396d18e395c3",
"name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ",
"description": "",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-09-01T18:20:02.256000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66ca37ac60cb425a2b3856c6",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708f3d55770338a7d7e46b",
"name": "filename:\"fa-brands-400.woff2?_v=5.15.3\"",
"description": "",
"modified": "2023-12-06T15:11:57.253000",
"created": "2023-12-06T15:11:57.253000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-SHA256": 430,
"hostname": 1503,
"domain": 1549,
"URL": 3561,
"FileHash-MD5": 1
},
"indicator_count": 7045,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708cee75cb524822443805",
"name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120",
"description": "",
"modified": "2023-12-06T15:02:05.972000",
"created": "2023-12-06T15:02:05.972000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6174,
"FileHash-SHA256": 1762,
"domain": 693,
"email": 2,
"hostname": 1343,
"FileHash-MD5": 115,
"FileHash-SHA1": 107,
"CVE": 2
},
"indicator_count": 10198,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 114,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653090cd5c6271761323a7a4",
"name": "Jupyter Notebooks Under Attack: QubitStrike Malware Targets Linux Servers",
"description": "",
"modified": "2023-11-18T01:05:41.002000",
"created": "2023-10-19T02:13:33.190000",
"tags": [
"cyber security news",
"cyber news",
"cyber security news today",
"cyber security updates",
"cyber updates",
"hacker news",
"hacking news",
"software vulnerability",
"cyber attacks",
"data breach",
"ransomware malware",
"how to hack",
"network security",
"information security",
"the hacker news",
"computer security",
"tunisia",
"qubitstrike",
"cado",
"telegram api",
"git hosting",
"github",
"matt muir",
"nate bill",
"jupyter",
"codeberg",
"discord",
"twitter",
"linux server",
"linux",
"telegram bot",
"discord channel",
"linux rootkit",
"xmrrig miner",
"google cloud",
"cado research",
"download",
"insert",
"install",
"teamtnt",
"cryptojacking",
"cloud",
"cado security",
"aws",
"malware",
"saas",
"muir",
"jupyter web",
"threat research",
"lead",
"help net",
"ssh key",
"cloud service",
"ssh propagation",
"xmrig",
"persistence",
"python",
"netshadow",
"blacksun",
"diamorphine",
"strong",
"github desktop",
"linux kernels",
"arm64",
"sign",
"lkm rootkit",
"search",
"cancel create",
"star",
"victor",
"footer",
"ipv4 url"
],
"references": [
"October 19th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3434 - Jupyter Notebooks Under Attack - QubitStrike Malware Targets Linux Servers"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Qubitstrike",
"display_name": "Qubitstrike",
"target": null
},
{
"id": "Linux",
"display_name": "Linux",
"target": null
}
],
"attack_ids": [
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1526",
"name": "Cloud Service Discovery",
"display_name": "T1526 - Cloud Service Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "cryptocti",
"id": "110256",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-MD5": 2,
"FileHash-SHA1": 1,
"FileHash-SHA256": 58,
"hostname": 43,
"domain": 4,
"URL": 110
},
"indicator_count": 219,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 499,
"modified_text": "925 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6295d72c09bca73117c7b35c",
"name": "\u5a01\u80c1\u72e9\u730e\u2014\u6316\u77ff\u6728\u9a6c\u7684\u5206\u6790\u4e0e\u8ddf\u8e2a",
"description": "\u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u901a\u8fc7\u5bf9\u6316\u77ff\u6728\u9a6c\u5bb6\u65cf\u7684\u5a01\u80c1\u72e9\u730e\uff0c\u83b7\u5f97\u5927\u91cf\u6316\u77ff\u6728\u9a6c\u5e38\u7528\u6316\u77ff\u57df\u540d\u548c\u76f8\u5173C2\u3002",
"modified": "2023-07-19T06:10:51.967000",
"created": "2022-05-31T08:51:55.995000",
"tags": [
"CoinMiner",
"HotSpot"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Coin Miner",
"display_name": "Coin Miner",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "junchuanyang1",
"id": "157561",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 285,
"hostname": 109,
"domain": 21
},
"indicator_count": 415,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 88,
"modified_text": "1047 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "62981c9999c140fe3dc70f18",
"name": "filename:\"fa-brands-400.woff2?_v=5.15.3\"",
"description": "",
"modified": "2022-07-02T00:05:39.094000",
"created": "2022-06-02T02:12:41.574000",
"tags": [
"geoip",
"cloudflarenet",
"as13335",
"as16276",
"apache geoip",
"as57724",
"ddosguard",
"as49282",
"ficolo",
"as24940",
"xserver",
"media",
"telecom",
"https://www.flooringforum.com/media/",
"filename:\"fa-brands-400.woff2?_v=5.15.3\"",
"CVE-2017-0147"
],
"references": [
"filename:\"fa-brands-400.woff2?_v=5.15.3\"",
"CVE-2017-0147"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3561,
"hostname": 1503,
"FileHash-SHA256": 430,
"domain": 1549,
"CVE": 1,
"FileHash-MD5": 1
},
"indicator_count": 7045,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1429 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "626bdc17d4519e2619a504da",
"name": "what a difference a . makes - irr.blizzard.com. - CVE-2018-8120",
"description": "",
"modified": "2022-05-30T00:00:40.928000",
"created": "2022-04-29T12:37:43.880000",
"tags": [
"irr.blizzard.com",
"irr.blizzard.com.",
"24.105.29.24",
"CVE-2018-8120"
],
"references": [
"https://hybrid-analysis.com/sample/0046d22f2c6d0d3805d3ac393a5e9a6d22fbdf4c536accc953c0ad6016180e2f/626bcef6f5f0f643c216c84c",
"https://hybrid-analysis.com/sample/60efb7ca24b6996a44c919d50ebcffe4092591ab15e6acda03f6a459ee96646e/626bd048a7193d6c1b3e9910",
"https://hybrid-analysis.com/sample/95121783365a25ff1016eb630deaf5ee50456295161604553fb27ac30b5f1cfe/626bce701d2fd7781b6f8653",
"https://hybrid-analysis.com/sample/e22d8ea5dc8732defed6c17b4bec3fbdf092aa86df4f4b80c768037fd59397ac/626bc2368590ef23a25053b4",
"74.203.211.12:1433",
"irr.blizzard.com. 24.105.29.24",
"https://www.virustotal.com/graph/g909fda2b00874cfcac059078fd24495c5ac4a8b219cd4b8fb8108b19dab31ad8"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
}
],
"industries": [
""
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1343,
"URL": 6174,
"domain": 693,
"FileHash-SHA256": 1762,
"FileHash-MD5": 115,
"CVE": 2,
"FileHash-SHA1": 107,
"email": 2
},
"indicator_count": 10198,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 410,
"modified_text": "1462 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"Can the DoD no questions asked target a SA victim",
"iamrobert.com Y.A.S.",
"https://hybrid-analysis.com/sample/95121783365a25ff1016eb630deaf5ee50456295161604553fb27ac30b5f1cfe/626bce701d2fd7781b6f8653",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://hybrid-analysis.com/sample/60efb7ca24b6996a44c919d50ebcffe4092591ab15e6acda03f6a459ee96646e/626bd048a7193d6c1b3e9910",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://res.public.onecdn.static.microsoft/midgard/versionless/dty-274d7ae9-e5e0-48eb-80db-f8daf26a8d1b-default-prod-64333_23af6e1645db3b350058.js",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"svc.ha-teams.office.com",
"https://meumundogay-com.sexogratis.page/locker",
"https://hybrid-analysis.com/sample/e22d8ea5dc8732defed6c17b4bec3fbdf092aa86df4f4b80c768037fd59397ac/626bc2368590ef23a25053b4",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://es.pornhat.com/models/the-sex-creator/",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"74.203.211.12:1433",
"s-0005.dual-s-msedge.net",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"mira-tmc.tm-4.office.com",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"152.199.161.19: ANS Communications, Inc (ANS)",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"https://feedback.us1.glint.cloud.microsoft/chemtrade/q2/questionnaire/5b77004c-9458-414f-8b63-a10eeff2ea13",
"filename:\"fa-brands-400.woff2?_v=5.15.3\"",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"There is fear in silence or speaking out",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://hybrid-analysis.com/sample/0046d22f2c6d0d3805d3ac393a5e9a6d22fbdf4c536accc953c0ad6016180e2f/626bcef6f5f0f643c216c84c",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"152.199.171.19 : USDA Fort Collins, Colorado",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"October 19th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3434 - Jupyter Notebooks Under Attack - QubitStrike Malware Targets Linux Servers",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"If someone is believed to be a threat they have right to due process.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"ecs-office.s-0005.dual-s-msedge.net",
"I am very upset. Whoever is doing this is sick.",
"irr.blizzard.com. 24.105.29.24",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Target agreed and complied with all lie detector measures.",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/crypto_mining.txt",
"https://www.virustotal.com/graph/g909fda2b00874cfcac059078fd24495c5ac4a8b219cd4b8fb8108b19dab31ad8",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Yara Detections: osx_GoLang",
"CVE-2017-0147"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Qubitstrike",
"Win.trojan.emotet-9951800-0",
"Linux",
"Virtool:win32/injector",
"Slf:trojan:win32/grandoreiro.a",
"Apnic",
"Other:malware-gen\\ [trj]",
"Coin miner",
"Malware"
],
"industries": [
""
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 16,
"pulses": [
{
"id": "6783308fc0b6e2bd8dfb209c",
"name": "TTC-CERT_blocklist_recommended",
"description": "",
"modified": "2026-02-14T00:03:07.406000",
"created": "2025-01-12T03:01:35.075000",
"tags": [],
"references": [
"https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 606,
"URL": 4,
"domain": 25122,
"hostname": 25306
},
"indicator_count": 51038,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 185,
"modified_text": "106 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "682f52de68ac467c666c8ee0",
"name": "23.219.89.169 dty-274d7ae9-e5e0-48eb-80db-f8daf26a8d1b-default-prod-64333_23af6e1645db3b350058.js",
"description": "https://www.virustotal.com/gui/file/191475f518a3563c8bbe32e742cc9106c0c968e2e3b9ce12aa12b5f018cbac42/relations\nhttps://www.virustotal.com/gui/ip-address/23.219.89.169/relations",
"modified": "2025-06-21T16:02:45.537000",
"created": "2025-05-22T16:37:50.568000",
"tags": [
"trojan",
"virus",
"md5 time",
"action payload",
"type malicious",
"trojan injector",
"trojan zloader",
"adware",
"parent",
"diff",
"drop",
"trustcor",
"vhash",
"ssdeep"
],
"references": [
"https://res.public.onecdn.static.microsoft/midgard/versionless/dty-274d7ae9-e5e0-48eb-80db-f8daf26a8d1b-default-prod-64333_23af6e1645db3b350058.js",
"https://feedback.us1.glint.cloud.microsoft/chemtrade/q2/questionnaire/5b77004c-9458-414f-8b63-a10eeff2ea13",
"svc.ha-teams.office.com",
"s-0005.dual-s-msedge.net",
"mira-tmc.tm-4.office.com",
"ecs-office.s-0005.dual-s-msedge.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 63,
"FileHash-SHA256": 451,
"FileHash-MD5": 200,
"hostname": 639,
"domain": 109,
"URL": 572
},
"indicator_count": 2034,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "344 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66904c243212c659a950a425",
"name": "cryptomining",
"description": "",
"modified": "2025-06-10T03:44:09.885000",
"created": "2024-07-11T21:18:28.832000",
"tags": [],
"references": [
"https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/crypto_mining.txt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 199,
"URL": 1,
"domain": 111
},
"indicator_count": 311,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 186,
"modified_text": "355 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66eb1585832bcf4f494f0335",
"name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging",
"description": "",
"modified": "2024-10-20T13:04:44.866000",
"created": "2024-09-18T18:01:41.013000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66ca37ac60cb425a2b3856c6",
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4635,
"domain": 771,
"email": 11,
"hostname": 1993,
"FileHash-SHA256": 3185,
"FileHash-MD5": 113,
"FileHash-SHA1": 101,
"CVE": 3
},
"indicator_count": 10814,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 236,
"modified_text": "588 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c661131c5003925e9bfe15",
"name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?",
"description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-21T21:50:11.612000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c66114103f15aab3b00d6c",
"name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?",
"description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-21T21:50:12.543000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66ca37ac60cb425a2b3856c6",
"name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ",
"description": "",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-08-24T19:42:36.642000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66c66114103f15aab3b00d6c",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66d4b052225d396d18e395c3",
"name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ",
"description": "",
"modified": "2024-09-20T20:04:19.210000",
"created": "2024-09-01T18:20:02.256000",
"tags": [
"net152",
"net1520000",
"loudoun county",
"ans core",
"nethandle",
"as1321",
"parkway city",
"as701 orgnocref",
"swipper",
"verizon",
"high",
"intel",
"icmp traffic",
"dns query",
"object",
"all scoreblue",
"filehash",
"malware",
"comcast",
"cve1102",
"actors",
"investigation",
"bad domains",
"emotet am",
"iocs",
"first",
"utc submissions",
"submitters",
"summary iocs",
"graph community",
"webcc",
"gmo internet",
"csc corporate",
"domains",
"alibaba cloud",
"computing",
"beijing",
"dynadot",
"ltd dba",
"china telecom",
"group",
"google",
"cloudflarenet",
"kb txtresse",
"mb smartsaver",
"admin cmd",
"mb threatsniper",
"mb history",
"mb gadget",
"installer",
"referrer",
"styes worm",
"historical ssl",
"script script",
"i span",
"ie script",
"win64",
"span",
"urls",
"levelblue labs",
"pulses",
"nastya",
"meta",
"open",
"date",
"vj92",
"uagdaaeqcqaaaag",
"ukgbagaqcqaaaae",
"slfrd1",
"hostnames",
"urls http",
"ukgbagaqcq",
"jid1886833764",
"jid882556742",
"samples",
"unknown",
"united",
"as20940",
"as2914 ntt",
"nxdomain",
"status",
"as6461 zayo",
"united kingdom",
"as15169 google",
"as33438",
"search",
"creation date",
"name servers",
"showing",
"hungary unknown",
"entries",
"scan endpoints",
"next",
"cape",
"show",
"copy",
"emotet malware",
"read",
"write",
"delete",
"june",
"emotet",
"as14627",
"passive dns",
"ipv4",
"pulse pulses",
"win32",
"months ago",
"created",
"modified",
"email",
"glupteba",
"hostname",
"cyber",
"read c",
"port",
"medium",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"dock",
"execution",
"method status",
"url hostname",
"ip country",
"type get",
"cachecontrol",
"location https",
"date thu",
"gmt server",
"code",
"ve234 server",
"aaaa",
"whitelisted",
"as44273 host",
"as46691",
"domain",
"script urls",
"path max",
"age86400 set",
"cookie",
"script domains",
"trojan",
"body"
],
"references": [
"Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco",
"Antivirus Detections: Other:Malware-gen\\ [Trj]",
"Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication",
"Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0",
"Yara Detections: osx_GoLang",
".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net",
"0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com",
"http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |",
"http://appleidi-iforgot.3utilities.com/Verify.php",
"device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org",
"152.199.171.19 : USDA Fort Collins, Colorado",
"Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com",
"152.199.161.19: ANS Communications, Inc (ANS)",
"OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com",
"http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net",
"https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco",
"Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc",
"Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09",
"Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3",
"Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Other:Malware-gen\\ [Trj]",
"display_name": "Other:Malware-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Emotet-9951800-0",
"display_name": "Win.Trojan.Emotet-9951800-0",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66ca37ac60cb425a2b3856c6",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CIDR": 2,
"URL": 4338,
"domain": 753,
"email": 9,
"hostname": 1799,
"FileHash-SHA256": 3098,
"FileHash-MD5": 110,
"FileHash-SHA1": 98,
"CVE": 3
},
"indicator_count": 10210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "617 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "monerpool.org",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "monerpool.org",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780249408.4653618
}