{ "type": "Domain", "indicator": "network.target", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/network.target", "alexa": "http://www.alexa.com/siteinfo/network.target", "indicator": "network.target", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2961293650, "indicator": "network.target", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 32, "pulses": [ { "id": "68c12ec5eb851e4417b21f49", "name": "ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT", "description": "ZynorRAT is a newly discovered Go-based Remote Access Trojan that provides a full suite of command and control capabilities for Linux and Windows systems. It was first identified in July 2025 and is believed to be of Turkish origin. The malware uses Telegram as its C2 infrastructure and offers features such as file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution. The Linux version is fully functional, while the Windows version appears to be in early development. The malware's author seems to be actively working on improving its detection avoidance. ZynorRAT's capabilities include discovery, exfiltration, persistence, and remote code execution on victim machines.", "modified": "2025-10-10T07:04:17.642000", "created": "2025-09-10T07:54:45.330000", "tags": [ "remote access trojan", "zynorrat", "go-based", "turkish", "linux", "telegram", "windows", "c2" ], "references": [ "https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZynorRAT", "display_name": "ZynorRAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66881254e482093db1d6f9ba", "name": "New Threat: A Deep Dive Into the Zergeca Botnet", "description": "An analysis of a newly discovered botnet named Zergeca, implemented in Go language, with capabilities for DDoS attacks, proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. The report delves into the botnet's unique features, including its multi-DNS resolution methods, encrypted communication protocol, and connection to a previously used IP address associated with Mirai botnets. The analysis covers sample detection, infrastructure details, reverse engineering findings, and provides insights into the author's techniques and expertise.", "modified": "2024-08-04T15:04:12.123000", "created": "2024-07-05T15:33:40.475000", "tags": [ "zergeca", "ddos", "botnet", "cve-2018-10562", "persistence", "go", "cve-2018-10561", "cve-2016-20016", "cve-2022-35733", "cve-2017-17215" ], "references": [ "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Germany" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 342, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 386509, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683b8b3d2bafff519c4d24e", "name": "Mining Gang's New Tool: k4spreader", "description": "QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:22:11.082000", "tags": [ "mining", "botnet", "tsunami", "pwnrig", "spreader", "k4spreader" ], "references": [ "https://blog.xlab.qianxin.com/8220-k4spreader-new-tool-en/" ], "public": 1, "adversary": "8220 Mining Gang", "targeted_countries": [], "malware_families": [ { "id": "k4spreader", "display_name": "k4spreader", "target": null }, { "id": "Tsunami", "display_name": "Tsunami", "target": null }, { "id": "PwnRig", "display_name": "PwnRig", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 350, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 9, "FileHash-SHA256": 8, "URL": 13, "domain": 4, "hostname": 7 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 386508, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac90f5b7cde86d323464", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:24.654000", "created": "2026-05-27T08:34:24.654000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac89787e428fe0f7b045", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:17.204000", "created": "2026-05-27T08:34:17.204000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6952635ab96902a7f72b2869", "name": "Attackers exploit CVE-2025-55182 vulnerability in attacks on Russian companies", "description": "Recent cyber attacks against Russian companies have exploited the CVE-2025-55182 vulnerability, primarily targeting the React2Shell framework to facilitate various malicious activities. These attacks predominantly involved the deployment of the XMRig cryptocurrency miner among other malicious payloads, including backdoors and botnets.\n\nIn specific attack cases, adversaries gained control over compromised hosts running containerized environments. They executed several commands upon leveraging the React2Shell vulnerability. For instance, reconnaissance activities included running Base64 encoded commands to gather information about the compromised systems, showcasing the attackers' intent to extend their control and gather intelligence before deploying further operations.", "modified": "2026-01-28T11:02:28.156000", "created": "2025-12-29T11:17:46.058000", "tags": [ "bash", "xmrig", "elf64", "vshell", "react2shell", "base64", "etherrat", "xmrig http", "cve202555182", "kaiji", "sliver", "cobalt strike", "apache", "root", "service", "install", "rust", "ares", "shell", "systemd", "team", "macos", "powershell", "arcane", "werewolf", "loki", "cookie", "xmrig miner", "bash script", "elf32", "tactical rmm", "kaiji botnet", "crossc2 cobalt", "xmrig mining", "c2the rustobot", "distribution" ], "references": [ "https://bi.zone/expertise/blog/zloumyshlenniki-ekspluatiruyut-uyazvimost-cve-2025-55182-v-atakakh-na-rossiyskie-kompanii/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 43, "URL": 53, "domain": 8, "hostname": 13 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6947af2d6bc68eb38075e3a5", "name": "APT36 sample analysis", "description": "APT36 has been observed utilizing two distinct methods to execute malware on Linux and Windows platforms, focusing on the distribution of malicious files disguised as legitimate documents.\n\nOn Linux, the attack begins with the creation of a `.local` directory with specific permissions (0755), followed by downloading three files from a target URL: `gkt3.1`, `http://gkt3.sh`, and `APPL FOR UPDATION.pdf`. The `http://gkt3.sh` script is executed after this download, which subsequently utilizes the `xdg-open` command to open the PDF file, potentially leading to further exploitation or malware execution.\n\nConversely, on Windows platforms, APT36 employs a malicious shortcut (LNK file) named `APPL FOR UPDATION OF NAME BASED & OFFICIAL NIC E-MAIL ID.pdf.LNK`. This file initiates the execution of embedded code through the use of the `mshta.exe` tool, a legitimate Windows system application.", "modified": "2026-01-20T08:04:26.478000", "created": "2025-12-21T08:26:21.188000", "tags": [ "windows", "powershell", "apt36", "linux", "appl for", "shell", "listdrives", "userprofile", "post", "official nic", "grabber", "service", "install", "python", "hello", "push", "hosts", "runfile", "orpcbackdoor", "konni", "muddywater" ], "references": [ "https://www.ctfiot.com/287443.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" } ], "industries": [ "IoT", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "CVE": 1, "FileHash-MD5": 17, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "URL": 7 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69395510912ec76473ed9501", "name": "EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig", "description": "", "modified": "2026-01-09T11:02:53.662000", "created": "2025-12-10T11:10:08.734000", "tags": [ "etherrat", "react2shell", "dprk", "december", "cve202555182", "rscs", "sysdig trt", "cobalt strike", "stage", "ethereum rpc", "sliver", "powershell", "vshell", "xmrig", "shell", "hunt" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "CVE": 1, "domain": 2, "hostname": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6938f3d717ae870f6a4b1515", "name": "DPRK\u2019s New Weapon EtherRAT Uses Smart Contracts to Outsmart Defenders", "description": "Our analysis of an EtherRAT implant shows that the network's infrastructure is vulnerable to a malicious strain of the Ethereum virtual currency, also known as Ether RAT, which can be hijacked and used to steal money.", "modified": "2026-01-09T03:03:15.683000", "created": "2025-12-10T04:15:19.613000", "tags": [ "type value", "etherrat note", "iocs", "staging server", "payload url", "etherrat", "react2shell", "dprk", "december", "cve202555182", "rscs", "sysdig trt", "cobalt strike", "stage", "ethereum rpc", "sliver", "powershell", "vshell", "xmrig", "shell", "hunt", "lazarus", "threat intelligence", "beavertail", "javascript" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "CVE": 1, "domain": 2, "hostname": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f77908c95fb55b5ddbca7e", "name": "LinkPro: eBPF rootkit analysis", "description": "A stealthy backdoor targeting GNU/Linux systems was discovered during an investigation into a compromised Amazon.com infrastructure, which allowed the threat actor to deploy a malicious rootkit on several Kubernetes clusters.", "modified": "2025-10-21T12:14:00.916000", "created": "2025-10-21T12:14:00.916000", "tags": [ "linkpro", "hide", "knock", "synacktiv csirt", "file size", "threat linux", "defense evasion", "ip address", "linkpro rootkit", "module sample", "rootkit", "rust", "malware", "first", "service", "bpfdoor", "symbiote", "timestomp", "vshell", "kretprobe" ], "references": [ "https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "vShell", "display_name": "vShell", "target": null }, { "id": "Linkpro", "display_name": "Linkpro", "target": null }, { "id": "LinkPro", "display_name": "LinkPro", "target": null }, { "id": "Kretprobe", "display_name": "Kretprobe", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "CIDR": 1, "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 8, "YARA": 6, "domain": 5, "hostname": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c1c23bdb5fa87399399ff3", "name": "IOC | ThreatIntelligence | ZynorRAT | Malware C2", "description": "", "modified": "2025-10-10T07:04:17.642000", "created": "2025-09-10T18:23:55.536000", "tags": [ "remote access trojan", "zynorrat", "go-based", "turkish", "linux", "telegram", "windows", "c2" ], "references": [ "https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZynorRAT", "display_name": "ZynorRAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [], "TLP": "white", "cloned_from": "68c12ec5eb851e4417b21f49", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683dcd9a988921feff728ac7", "name": "Attacker exploits misconfigured AI tool to run AI-generated payload.", "description": "A new cyber threat has emerged, exploiting misconfigured AI tools to execute malicious AI-generated payloads. Sysdig\u2019s OTX (Open Threat Exchange) report reveals how attackers are leveraging weak configurations in AI infrastructure to deploy harmful scripts. Learn about the attack vectors, detection strategies, and best practices to secure AI environments.", "modified": "2025-07-02T16:02:54.605000", "created": "2025-06-02T16:13:14.900000", "tags": [ "perl", "code language", "open webui", "linux", "python script", "sysdig trt", "sysdig runtime", "llms", "discord webhook", "tools", "discord", "python", "xmrig", "persistence", "powershell", "windows" ], "references": [ "https://sysdig.com/blog/attacker-exploits-misconfigured-ai-tool-to-run-ai-generated-payload/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 10, "URL": 25, "domain": 6, "hostname": 3 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6801d029c9e039c4cc2da8a1", "name": "UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare: From SNOWLIGHT to VShell | Sysdig", "description": "", "modified": "2025-05-16T12:05:02.605000", "created": "2025-04-18T04:08:09.746000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "67ffa95f151c5344baf7419f", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "379 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ffa95f151c5344baf7419f", "name": "UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare: From SNOWLIGHT to VShell | Sysdig", "description": "", "modified": "2025-05-16T12:05:02.605000", "created": "2025-04-16T12:58:07.087000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "379 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff7c5a5163eb4b1d743547", "name": "China Hackers Launch Stealth Linux Attacks with SNOWLIGHT and VShell", "description": "A China-linked threat actor, tracked as UNC5174, has launched a new campaign using a variant of the SNOWLIGHT malware and a remote access trojan known as VShell to compromise Linux systems. The group is leveraging open-source tools to reduce costs, blend in with less advanced attackers, and evade detection.", "modified": "2025-05-16T09:01:05.301000", "created": "2025-04-16T09:46:02.608000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba24006c60738da31d6f26", "name": "Springtail: New Linux Backdoor Added to Toolkit | Symantec Enterprise Blogs", "description": "", "modified": "2025-03-24T19:03:26.922000", "created": "2025-02-22T19:22:40.388000", "tags": [ "gomir", "gobear", "troll stealer", "south korea", "linux version", "khnp", "stealer", "gpki", "ahnlab", "betaseed", "team", "kimsuky", "february", "install" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 18, "URL": 1, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6687f3a61f728ce0a447e5ac", "name": "New Threat: A Deep Dive Into the Zergeca Botnet", "description": "A botnet based on the language Golang has been operating in the same language as the Mirai botnets since September 2023, according to an analysis by cyber security firm XLab CTIA.", "modified": "2024-08-04T13:02:22.242000", "created": "2024-07-05T13:22:45.390000", "tags": [ "ddos", "en", "botnet", "doh", "zergeca", "september", "xor key", "c2 resolution", "c2 ip", "zergeca sample", "smux", "virustotal", "germany", "golang", "mirai", "april", "zerg", "june", "downloader", "loader", "stop", "twitter" ], "references": [ "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/#background" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Germany" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 11, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 2, "domain": 4, "hostname": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66878ba454bc6fdb68ef993c", "name": "New Threat: A Deep Dive Into the Zergeca Botnet", "description": "A botnet based on the language Golang has been operating in the same language as the Mirai botnets since September 2023, according to an analysis by cyber security firm XLab CTIA.", "modified": "2024-08-04T05:03:12.980000", "created": "2024-07-05T05:59:00.690000", "tags": [ "doh", "ddos", "botnet", "en", "zergeca", "september", "xor key", "c2 resolution", "c2 ip", "zergeca sample", "smux", "virustotal", "germany", "golang", "mirai", "april", "zerg", "june", "downloader", "loader", "stop", "twitter" ], "references": [ "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/#background" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Germany" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 11, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 2, "domain": 4, "hostname": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667eb5aa23e50b03fcf27e98", "name": "8220 Mining Gang's New Tool: k4spreader", "description": "", "modified": "2024-07-28T13:00:49.905000", "created": "2024-06-28T13:07:54.703000", "tags": [ "miner", "botnet", "ddos", "backdoor", "tsunami botnet", "tsunami", "pwnrig", "cgo mode", "pwnrig mining", "trojan", "add system", "urls", "overviewon june", "february", "persistence", "download" ], "references": [ "https://blog.xlab.qianxin.com/8220-k4spreader-new-tool-en/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 14, "domain": 4, "hostname": 8 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664734d5d68a042e713f82d2", "name": "Springtail: New Linux Backdoor Added to Toolkit | Symantec Enterprise Blogs", "description": "A new version of North Korea\u2019s Springtail malware has been discovered by security firm Symantec, which has identified a family of backdoors that can steal data from infected computers and steal passwords.", "modified": "2024-06-16T10:04:57.524000", "created": "2024-05-17T10:43:33.114000", "tags": [ "gomir", "gobear", "troll stealer", "south korea", "linux version", "khnp", "stealer", "gpki", "ahnlab", "betaseed", "team", "kimsuky", "february", "install", "springtail", "endoor", "gobear windows", "troll" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" ], "public": 1, "adversary": "Springtail", "targeted_countries": [ "United States of America", "Korea, Republic of", "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "GoBear", "display_name": "GoBear", "target": null }, { "id": "Endoor", "display_name": "Endoor", "target": null }, { "id": "GoBear Windows", "display_name": "GoBear Windows", "target": null }, { "id": "Springtail", "display_name": "Springtail", "target": null }, { "id": "Troll", "display_name": "Troll", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Journalists", "Academics" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 18, "URL": 1, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "714 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6659ea571eab262a3942e77c", "name": "system.img - Unidentified Android Ext4 filesystem pulled from my machine", "description": "Honestly I can't recall where I fished this out of, but I had stashed it on a cloud storage drive for later exploitation, which is what this is. At current, I don't have the slightest clue what it is or what it was doing on my computer. But with majority of the */bin/ files coming back as symlinks to */bin/toybox I'm assuming it's nothing that'd enhance my day to day life for the better. Standby for further analysis. At current these are just the SHA256's of the filesystem itself.", "modified": "2024-05-31T15:18:47.112000", "created": "2024-05-31T15:18:47.112000", "tags": [ "mntdevfb0", "mntdevhda1", "mntdevhda3", "mntdevkmem", "mntdevmem", "mntdevmmcblk0p1", "mntdevmmcblk0p3", "mntdevmtd0", "mntdevmtd2", "mntdevmtd4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1991, "domain": 70 }, "indicator_count": 2063, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "729 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6605781ad51380e5b1c22815", "name": "haul from the last two weeks of wrangling - presumed malware and IOC's found on my personal devices", "description": "nearing the two year mark of the first initial attack - unfortunately OTX was only able to pull domains from the large majority of files uploaded which seems to be a built in anti-debug feature and goes with the theme and \"look & feel\" of this latest iteration being that most of them were somehow someway remote and acting as a net file system on my machine", "modified": "2024-04-27T02:04:29.606000", "created": "2024-03-28T14:00:58.809000", "tags": [ "dddf", "target", "dddj", "path", "base o", "base", "backupfile", "base rw", "exit", "date", "hell", "gnu libtool", "please do", "linker", "lsmime3 lnss3", "lplc4 lnspr4", "ludev", "directory", "lmagic ljansson", "feugiat", "lorem ipsum", "nulla facilisi", "malesuada", "etiam tempor", "suspendisse", "consectetur", "bibendum", "amet", "eget aliquet", "basesectors", "date echo", "default", "label", "kernel", "append rhgb", "clsid", "systemroot", "webbrowser", "ispell", "imagemagick", "flex", "zle c", "whois", "locate", "rubber", "chown", "ruby", "ninja", "pacman", "restart", "kill", "django", "mark", "repl", "service", "term", "mkdir", "borg", "black", "conan", "dolphin", "dotnet", "hello", "john", "generic", "find", "shutdown", "mozilla", "first", "subsystem", "action", "goto", "load", "devtype", "idnetdriver", "drivers", "program", "interface", "nmunmanaged", "ethernet", "mac prefix", "attr", "virtualbox host", "mac address", "interface name", "hello world", "unit", "timer", "onbootsec5min", "install", "wait online", "networkmanager", "edit", "note", "typeoneshot", "cloud", "optin", "helper", "for testing", "only", "restrict", "grant", "enable debug", "trace", "killmodeprocess", "typedbus", "reload", "capdacoverride", "dhcp etc", "include", "yara", "cflags", "libs", "xxx remove", "the author", "this software", "isc license", "copyright", "schlueter", "permission", "software is", "provided", "as is", "disclaims all", "direct", "require", "semver", "comparator", "range", "releasetypes", "simple", "tilde", "09azaz", "prerelease", "same", "beta", "semverrangesgtr", "semverrangesltr", "coerce version", "ranges", "alpha", "standalone", "exits", "null", "false", "reverse", "compare", "a javascript", "copyright isaac", "typeerror", "maxsafeinteger", "maxlength", "break", "error", "number", "drop", "same direction", "symbol", "comp", "const", "caret", "flagloose", "xrange", "parse", "identifier", "object", "match", "string", "walk", "manually", "stop", "highhaspre", "major", "minor", "patch", "istanbul", "preminor", "index", "regexp", "build metadata", "meaning", "replace", "token", "zero", "star", "infinity", "return", "a cache", "build status", "coverage status", "the same", "options", "before", "lrulist", "cache", "length", "dispose", "maxage", "allowstale", "nodisposeonset", "yallist", "node", "array", "head", "function", "tail", "start", "insert", "just", "node object", "barbar", "array method", "default export", "any comparator", "complex range", "simple range", "c1 c2", "outer", "every simple", "ecomp", "must", "clone", "case", "ignore", "setmin", "determine", "version", "typeof", "contribute", "status", "node package", "manager", "benchmark suite", "installation", "direct download", "ql https", "node version", "usage", "project", "calendar", "package", "source", "license", "source form", "perl foundation", "distributor fee", "distribute", "standard", "neither", "module", "basecommand", "lifecyclecmd", "base command", "pacote", "browser", "workspace", "pkgname", "await", "boolean", "base class", "wrapwidth", "chalk", "command", "config", "npmcliconfig", "logfile", "timers", "display", "location", "audit", "arboristcmd", "arborist", "global", "whoami", "async", "json", "view", "pref", "pckmnt", "resolve", "utf8", "libnpmversion", "unstar", "update", "save", "omit", "packagelock", "dryrun", "force", "libnpmaccess", "spec", "uninstall", "todo", "enoent", "enotdir", "test", "scriptshell", "scope", "team", "create", "user", "libnpmteam", "destroy", "table", "list", "cidr", "stars", "eneedauth", "shrinkwrap", "rename", "npmcliarborist", "value", "unicode", "sbom", "cyclonedx", "build", "sbomformats", "response", "software bill", "look", "script", "runscript", "indent", "root", "minipass", "search", "pipeline", "filterstream", "libnpmsearch", "long", "grab", "packageurlcmd", "repo", "info", "repo const", "rebuild", "reifycmd", "publish", "libnpmpack", "npmclirunscript", "prune", "remove", "prefix", "args", "queryable", "packagejson", "pong", "cleanurl", "registry", "pack", "load tarball", "noise", "query", "edge", "etarget", "e403", "e404", "outdated", "homepage", "developer", "admin", "owner", "libnpmorg", "npmfetch", "logout", "getauth", "invalid", "parent", "depth", "type", "filteredby", "dedupe", "problems", "login", "link", "util", "installcitest", "runs", "prop", "password", "profile", "mode", "email", "twitter", "hook", "libnpmhook", "init", "wpath", "installtest", "complete", "globaltop", "help", "viewer", "glob", "pattern", "file", "globify", "explore", "shell", "handle", "fund", "which", "fundingsource", "archy", "explain", "helpsearch", "text", "part", "editor", "editor const", "childprocess", "check", "nodemodules", "docs", "promisify", "doctor", "cacache", "mask", "win32", "disttag", "packagespec", "semver range", "delete", "diff", "workspacepath", "actualtree", "libnpmdiff", "deprecate", "message", "write", "clean", "spawn", "compline", "comppoint", "compcword", "epipe", "completion", "compfish", "os x", "bugs", "report", "adduser", "exec", "libnpmexec", "localprefix", "runpath", "skip", "public key", "npmauditreport", "access", "item", "finddupes", "syntaxerror", "getcli", "eventemitter", "abort", "ssri", "columnify", "bundled", "tarball details", "sha1", "daily", "latest", "check daily", "weekly", "cyclonedxschema", "cyclonedxformat", "proppath", "propbundled", "propdevelopment", "propextraneous", "propprivate", "refvcs", "refwebsite", "crypto", "readpassword", "readusername", "reademail", "enter", "enter otp", "otpprompt", "afaf09", "passwordprompt", "auditerror", "getfundinginfo", "json output", "data", "append", "maybeindex", "ontimeend", "name", "returns", "noassertion", "spdxidentifer", "spdxdatalicense", "reldescribes", "reldep", "reftypepurl", "spdxid", "eotp", "e401", "setinterval", "npmlog", "proclog", "maxlogsperfile", "fsminipass", "open", "colmax", "colmin", "colgutter", "quick help", "convert", "b return", "mb return", "gb return", "sigint", "readline", "prompt", "promise", "eresolve error", "overridden", "peer", "extraneous", "optional", "isworkspace", "maxlen", "code", "unfinished", "notice", "isshellout", "matcherrorcode", "devnull", "npmcompletion", "compwords", "compreply", "o default", "f npmcompletion", "ifs compadd", "fish shell", "l cmd", "taken", "comp stuff", "lx compline", "abbrev", "please", "enyi", "json version", "cygwin", "c1 control", "numbers", "x09 x0a", "10000", "nodemodulesnpm", "builtin", "npmrc", "notsup", "notarget", "nospc", "rofs", "author", "npmclifs", "minimatch", "pathtofoo", "relative", "synopsis", "description", "field", "person", "configuration", "whether", "premajor", "prepatch", "prevents", "run git", "upgrade", "examples", "will", "shareman", "cidr whitelist", "please refer", "tokenid", "eslint", "c eslint", "compatibility", "older", "versions", "nodeoptions", "details", "output", "example", "posix", "unstarring", "lcall", "starring", "lock", "materials", "spdx", "lodash", "nodeenv", "initcwd", "boolean set", "boolean tells", "windows", "unix", "selector", "use cases", "queries", "equivalent", "boolean show", "nocolor environ", "cli look", "boolean force", "dependency", "json object", "production", "files", "cicd system", "property", "change", "url opener", "basic auth", "allow", "description a", "removes", "semvermajor", "ping https", "ping http", "found", "get http", "example add", "json format", "handy", "display prefix", "g usrlocal", "mycorp", "associate", "deprecated", "libnodemodules", "caveat note", "workspace usage", "string override", "tarball", "githubrepo", "initializer", "usrfoo", "forwarding", "suppose", "commandsnpm", "hooks", "url endpoint", "browse", "consider", "ci environment", "string optional", "promzard", "top level", "expect", "javascript", "it staff", "https", "cli team", "ecmascript", "readme", "package current", "latest location", "depended", "git repos", "git dependency", "newest version", "modify package", "description add", "show", "purpose tags", "tags", "keyvalue", "16 16", "boolean ignore", "boolean do", "string source", "treat", "example make", "grep", "travis ci", "details npm", "localappdata", "tab completion", "bulk advisory", "sha256publickey", "endpoint", "quick audit", "set access", "that user", "scoped", "python", "description npm", "node javascript", "important npm", "introduction", "c code", "unix system", "integrity", "provide", "facilitate", "cli tool", "handling old", "lockfiles", "file format", "legacy", "urls", "spdx license", "most", "barney rubble", "specify", "github", "dependencies", "github urls", "node installer", "linux", "overview", "windows node", "prefixetcnpmrc", "variablename", "home", "comments", "peruser config", "global config", "builtin config", "auth", "cycles", "local install", "global install", "appdata", "below", "please note", "stage", "after", "life cycle", "runs after", "post scripts", "scripts", "slate", "synopsis so", "rf usrlocal", "modules", "with", "laf usrlocal", "l npm", "description all", "installing", "myorgmypackage", "requiring", "publishing", "private modules", "scopes", "apis", "auth related", "does", "package name", "aliases", "folders", "os equivalent", "tarballs", "teams", "orgs", "super admin", "team admins", "developer guide", "description so", "be explicit", "blank", "standard glob", "link packages", "syntax", "selectors", "querying", "log file", "location all", "log levels", "information", "headers", "logs", "alias", "certificate", "format", "docext", "content", "descriptions", "shorthands", "keyb", "print", "dir1", "manual", "input", "line", "process", "display help", "dirs", "get contents", "maxdepth", "contents", "u2665 bxe5r", "ud834udf06 baz", "single", "cssesc", "usage arborist", "commands", "options most", "npm install", "npm rm", "time", "silent", "fetch", "conf", "handler", "extract", "additional", "jackspeak", "jack", "glob v", "expand", "drive letter", "never", "true", "rob browning", "gnu library", "general", "public license", "license file", "future import", "adderror", "cdfq", "charles levert", "egrep", "egrepegrep", "fgrepfgrep", "grepgrep", "svr4 grepegrep", "times", "attributeerror", "fixcygwinid", "enhanced", "false try", "false assert", "tsns", "inetaddress", "none", "return value", "unixaddress", "localrepo", "httpserver", "valueerror", "resourcepath", "exception", "eoferror", "c version", "bytesio", "offset", "binary", "ascii", "baseversion", "commit", "throw", "in n", "send", "data end", "if 10", "copy", "send logoutn", "exitatoi", "tmplink", "lcallc binls", "varlogsetup rm", "sf tmp", "slackware", "system console", "entry", "ansi mode", "b007e", "slackware ftp", "cdrom", "miquel van", "smoorenburg", "okay", "minix", "fixme", "overwrite", "connect", "ssh connection", "subcmd", "bbupttywidth", "bupforcetty", "hashsplitter", "b options", "false def", "hack", "kbytesr", "srcpath", "tmptagfiles", "device", "tmpreply", "reply", "including", "but not", "quotesplit", "quoteerror", "not word", "split line", "mainselect", "tpxetcfstab", "select", "slackware linux", "varlogmount", "anything", "tmpswapmsg", "swappart", "ndir", "swaplist", "tmpsetswap", "linux swap", "swap space", "redir", "linux fdisk", "tmptmpscript", "eof fi", "instsets", "gnome", "tmpsetds", "tmpsetseries", "gnu emacs", "gnome desktop", "linux kernel", "k desktop", "uucp", "tmp fi", "tmpsettpx", "tpxetcshadow", "root password", "detected", "internet", "press", "linux native", "partitions", "tmpreturn", "nodes", "nextpartition", "rootdevice", "mtpt", "size", "formatting", "doformat", "main", "done", "sourcemedia", "tmpmedia", "source media", "selection", "slackware cd", "network file", "tmpsetreturn", "maketag", "choice", "mount", "tagext", "tmpsetnewtag", "tmpsettagmake", "sorry", "tmpsetkeymap", "mapname", "moorhead", "keyboard map", "us keyboard", "updown", "copying", "kernel chmod", "kernel rdev", "lilo", "fullerr", "tmpsettestfull", "partition full", "setup", "altf2", "slackware setup", "dospart", "newdir", "tmptempscript", "tmpsetdos", "partition", "ntfs", "doslist", "installscripts", "tpxproc", "atapi cd", "kerberos", "file transfer", "iana", "appletalk", "network", "control", "secure shell", "chat", "contact", "prospero", "outtag", "outshift", "if 30", "conn", "setmode", "dumb", "smart", "clienterror", "rather", "stopiteration", "firstexclusion", "appendcommit", "firstbranchitem", "filterbranch", "origtip", "oldnew", "remoterepo", "group", "prevpath", "sisdir import", "dangerous", "count", "subcount", "ioerror", "oserror", "gitmodetree", "gitmodefile", "gitmodesymlink", "stack", "nonlocal", "revision", "presdir", "admdirpackages", "warn", "tmprequiredlist", "trigger", "arch", "procscsiscsi", "luns", "scsi", "ax1b", "skript", "scsi bus", "kurt garloff", "gnu gpl", "ieee1394", "l found0", "nextrepoid", "repoid", "realpath", "usb keyboard", "d libmodules", "nousb", "procbususb a", "procbususb fi", "load input", "q input", "inet system", "hostname", "attach", "etcmotd", "newdisk", "scan", "slackkernel", "ram disk", "r sbp2", "r ieee1394", "firewire", "noieee1394", "q ieee1394", "attempt", "use f", "none def", "return password", "return none", "passwd", "nametopwdcache", "gidtogrpcache", "nametogrpcache", "tagfile", "prompt mode", "help software", "less", "removepkg", "gnu cc", "linux source", "pkgtool", "proccmdline", "termvt100", "termlinux", "homeroot lessmm", "ps1u", "home path", "display less", "term ps1", "kind", "branch", "period", "tmpsetfdisk", "minor elif", "smashedline", "l dev", "tmpsetfdisk fi", "probe", "mylex", "raid", "disksets", "packagedir", "blurb", "sourcedir", "tmptmpmsg", "tmptagfile", "media", "pcmcia", "umountcdrom", "o ro", "floppy", "pcmcia andor", "cardbus", "usedflopfalse", "libdir", "libdir exedir", "bcmd", "exedir", "openssl set", "packageversion", "versiongreater", "invert", "optdict", "intify", "limited to", "sockets layer", "argv", "normally", "shutwr", "sigexception", "demuxconn", "pipe import", "demultiplex", "openssl", "debug", "opensslversion", "static imported", "target openssl", "cmake", "shared imported", "fatalerror", "obex", "import", "stringio import", "obex service", "bdaddr channeln", "ascii character", "alength", "notfoundreturn", "use nis", "nis version", "name service", "switch config", "legal", "use dns", "domain name", "os2 boot", "os2 fdisk", "partition magic", "boot manager", "tcpip subsystem", "nfs install", "network support", "make", "sample file", "zip disk", "zip drive", "first scsi", "first ide", "atari", "solaris", "drive x", "zip100", "linkdir", "linkdir fi", "tmp directory", "asap", "linkdir tmp", "indexerror", "want", "midxversion", "wrapper", "multiple index", "filename", "desiredhwm", "domidx", "exitstack", "total", "option", "c option", "vmsize", "vmrss", "vmdata", "vmstk", "majflt", "september", "guess object", "longmatch", "raid device", "devrd", "devname", "concord", "applyerror", "metadata", "einval", "macos", "frozen", "fifo", "common code", "faildelay", "faillogenab", "logunkfailenab", "logoklogins", "lastlogenab", "mailcheckenab", "quotasenab", "syslogsuenab", "syslogsgenab", "console console", "ttywidth", "baseexception", "pythonpath", "pipe", "sigismember", "xdropaqueauth", "libcpvalloc", "rtld", "gnu c", "library", "free software", "foundation", "gnu lesser", "general public", "merchantability", "refs", "keyerror", "important", "carefully", "kwargs", "super", "true result", "priority", "pmsg", "crunch", "tmptempmsg", "localnetmask", "localipaddr", "upnrun", "ip address", "localgateway", "kversion", "eof dialog", "tmpmask", "localnetwork", "slackdevice", "fgrep", "ftp site", "tmpsetmount", "reboot machine", "tmpwhichdrv", "tmpsetmount cat", "select floppy", "drive", "tmptempmsg exit", "tmptempmsg mv", "tmpsourcedir", "drivefound", "cddvd", "rdir", "cddvd drive", "tmpsetcddev", "ide bus", "tmperrordo exit", "third", "login binsh", "l ttys0", "l ttys1", "x0 s", "reboot", "stuff", "bupdir", "iterhelper", "next", "none d", "indexhdr", "ixexists", "ixhashvalid", "ixshamissing", "indexsig", "entlen", "footersig", "tmpdir", "experimental", "bdupcache", "brestore", "bindex", "agulbra", "tcpip", "linux box", "hlinkdb", "verify", "maxpertree", "bupblobbits", "buptreeblobbits", "giterror", "mpicount", "bupnormal", "bupchunked", "refresh", "close", "dump", "dest", "commonargs", "ref dest", "pick", "btree", "missingobject", "bloom filter", "existingcount", "idxlivecount", "ram budget", "bupfs", "importerror", "fuse", "verbose", "fakemetadata", "fsdecode", "ptraceerror", "ptracesetregs", "cpu64bits", "ptraceattach", "ptracedetach", "ptracesyscall", "cpuwordsize", "runningbsd", "ext2", "proc proc", "commanderror", "optionerror", "lcctype", "iso88591", "localrepo repo", "sbine2fsck", "bfailed", "elif", "bcanary", "posix acls", "linux partition", "move", "pgdnspace", "olargefile", "onofollow", "xdev", "xdevxdev", "dirlist", "prepend", "cyan", "white", "blue", "dialog box", "yellow", "active button", "inactive button", "search box", "input box", "green", "excluderxs", "doit", "s seed", "this command", "is extremely", "dangerous n", "chunksize", "socket", "return hex", "supports python", "rethrow", "hostrs", "bnone", "bload", "branchpath", "snapshotroot", "snapshot", "tmpidx", "bashsource", "bashlineno", "int dryrun", "importing", "ux f", "sbinbrc", "eof binsync", "unmounting file", "devnull echo", "rest", "first assert", "existing", "restcount", "none path", "maxbloombits", "bloomversion", "maxbitseach", "discussion", "k4 k5", "k6 k7", "k8 k9", "rvatoi", "exitrv", "exit 1", "noblock", "sisdir", "sislnk", "writetree", "rawtreeitem", "splittreeitem", "metadataro", "meta", "builtmodulename", "dkms", "packagename", "autoinstall", "kernelrelease", "kbuild", "kerneluname", "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "later", "tls1", "fbtfr", "fbfr", "apache http", "fbefr", "fbhfr", "fbabfr", "http", "keepalive", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "getprocaddress", "access type", "ck id", "observed ja3", "mitre att", "show technique", "suspicious", "hybrid", "click", "delphi", "strings", "malicious", "february", "middle", "exploit", "gameover", "hybrid analysis", "api key", "vetting process", "ck matrix", "accept", "memoryfile scan", "invalid octet", "falcon sandbox", "tmpp59thrck", "informative", "name tactics" ], "references": [ "itl-logo.txt", "empty.exe", "libnm.la", "libyara.la", "sunjava_map.xml", "lorem.txt", "stage2", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "syslinux.cfg", "x.jnlp", "desktop.ini", "a.txt", "a.txt:ads.txt", "dir:ads.txt", "b.txt:ads.txt", "no_ads.txt", ".:ads.txt", "b.txt", "nm-shared.xml", ".zcompdump-m1904-5.9", ".zcompdump", "90-nm-thunderbolt.rules", "84-nm-drivers.rules", "85-nm-unmanaged.rules", "???? ????????.txt", "notes.txt", "notes.txt:ads", "nm-cloud-setup.timer", "NetworkManager-wait-online.service", "nm-cloud-setup.service", "nm-priv-helper.service", "NetworkManager-dispatcher.service", "NetworkManager.service", "NetworkManager-ovs.conf", "nm-pppd-plugin.la", "yara.pc", "libnm.pc", "preload.js", "LICENSE", "index.js", "range.bnf", "package.json", "README.md", "semver.js", "comparator.js", "range.js", "valid.js", "sort.js", "satisfies.js", "rsort.js", "rcompare.js", "prerelease.js", "patch.js", "neq.js", "minor.js", "major.js", "lt.js", "inc.js", "parse.js", "gt.js", "eq.js", "gte.js", "compare-loose.js", "compare.js", "clean.js", "cmp.js", "coerce.js", "compare-build.js", "diff.js", "lte.js", "parse-options.js", "identifiers.js", "debug.js", "constants.js", "re.js", "yallist.js", "iterator.js", "subset.js", "to-comparators.js", "outside.js", "min-version.js", "min-satisfying.js", "max-satisfying.js", "ltr.js", "simplify.js", "intersects.js", "gtr.js", "npmrc", "cli.js", "lifecycle-cmd.js", "cli-entry.js", "package-url-cmd.js", "base-command.js", "npm.js", "arborist-cmd.js", "whoami.js", "view.js", "version.js", "unstar.js", "update.js", "unpublish.js", "uninstall.js", "test.js", "team.js", "stop.js", "start.js", "token.js", "stars.js", "shrinkwrap.js", "set.js", "star.js", "sbom.js", "run-script.js", "root.js", "search.js", "repo.js", "restart.js", "rebuild.js", "publish.js", "prune.js", "prefix.js", "pkg.js", "ping.js", "pack.js", "query.js", "outdated.js", "org.js", "owner.js", "logout.js", "ls.js", "ll.js", "login.js", "link.js", "install-ci-test.js", "profile.js", "hook.js", "init.js", "install-test.js", "install.js", "help.js", "explore.js", "fund.js", "explain.js", "help-search.js", "get.js", "edit.js", "docs.js", "doctor.js", "dist-tag.js", "dedupe.js", "deprecate.js", "ci.js", "config.js", "completion.js", "bugs.js", "adduser.js", "exec.js", "audit.js", "access.js", "cache.js", "find-dupes.js", "validate-engines.js", "web-auth.js", "tar.js", "update-notifier.js", "sbom-cyclonedx.js", "replace-info.js", "read-user-info.js", "reify-output.js", "queryable.js", "timers.js", "validate-lockfile.js", "sbom-spdx.js", "otplease.js", "pulse-till-done.js", "log-shim.js", "log-file.js", "npm-usage.js", "get-identity.js", "format-bytes.js", "open-url-prompt.js", "explain-eresolve.js", "explain-dep.js", "exit-handler.js", "open-url.js", "did-you-mean.js", "completion.sh", "completion.fish", "cmd-list.js", "auth.js", "audit-error.js", "is-windows.js", "display.js", "reify-finish.js", "error-message.js", "format-search-stream.js", "installed-shallow.js", "installed-deep.js", "update-workspaces.js", "get-workspaces.js", "npm-view.md", "npm-version.md", "npm-uninstall.md", "npm-token.md", "npx.md", "npm-team.md", "npm-stop.md", "npm-unstar.md", "npm-start.md", "npm-star.md", "npm-test.md", "npm-shrinkwrap.md", "npm-stars.md", "npm-sbom.md", "npm-root.md", "npm-run-script.md", "npm-restart.md", "npm-rebuild.md", "npm-query.md", "npm-search.md", "npm-prune.md", "npm-publish.md", "npm-profile.md", "npm-repo.md", "npm-whoami.md", "npm-pkg.md", "npm-pack.md", "npm-ping.md", "npm-org.md", "npm-owner.md", "npm-prefix.md", "npm-login.md", "npm-logout.md", "npm-link.md", "npm-install-ci-test.md", "npm-install.md", "npm-init.md", "npm-update.md", "npm-help-search.md", "npm-hook.md", "npm-help.md", "npm-find-dupes.md", "npm-explore.md", "npm-unpublish.md", "npm-exec.md", "npm-ls.md", "npm-edit.md", "npm-doctor.md", "npm-fund.md", "npm-outdated.md", "npm-docs.md", "npm-dist-tag.md", "npm-config.md", "npm-diff.md", "npm-ci.md", "npm-cache.md", "npm-bugs.md", "npm-completion.md", "npm-audit.md", "npm-access.md", "npm.md", "npm-install-test.md", "npm-adduser.md", "npm-dedupe.md", "package-lock-json.md", "package-json.md", "npm-shrinkwrap-json.md", "install.md", "npmrc.md", "folders.md", "workspaces.md", "scripts.md", "removal.md", "scope.md", "registry.md", "package-spec.md", "orgs.md", "developers.md", "dependency-selectors.md", "logging.md", "config.md", "node-which", "mkdirp", "qrcode-terminal", "installed-package-contents", "cssesc", "color-support", "arborist", "pacote", "glob", "empty", "xstat (2).py", "zgrep", "xstat.py", "wtmp", "web.py", "vt300", "vt300 (2)", "vt100 (3)", "vt100", "vint.py", "version (2).py", "version.py", "vdecmd", "unmigrate (2).sh", "unmigrate.sh", "tick.py", "termcap (2)", "termcap", "tag.py", "syslinux (2).cfg", "syslog.conf", "syslog (2).conf", "styles.css", "stdcrt (2)", "std (2)", "stage2 (3)", "stage2 (2)", "std", "ssh.py", "source_info.py", "split.py", "slackinstall", "stdcrt", "shells", "shells (2)", "shquote.py", "shadow (2)", "shadow", "setup (2)", "SeTswap (2)", "SeTPKG (2)", "setup", "SeTswap", "SeTpasswd (2)", "SeTpasswd", "SeTnopart (2)", "SeTpartitions (2)", "SeTnopart", "SeTPKG", "SeTmedia (2)", "SeTpartitions", "SeTmedia", "SeTmaketag", "slackinstall (2)", "SeTkeymap (2)", "SeTmaketag (2)", "SeTkernel", "SeTfull (2)", "SeTkernel (2)", "SeTfull", "SeTfdHELP", "SeTfdHELP (2)", "SeTkeymap", "SeTDOS (2)", "SeTconfig (2)", "services (2)", "SeTDOS", "SeTconfig", "services", "sendcmd.rc", "securetty (2)", "securetty", "server.py", "rm.py", "restore.py", "rm (2).py", "save.py", "removepkg", "rescan-scsi-bus", "removepkg (2)", "README (2)", "README", "repo.py", "rc.usb", "rc.inet1", "rc.S", "rc.ieee1394", "random.py", "pwdgrp.py", "PROMPThelp (2)", "profile (2)", "prune_older.py", "profile", "probe (2)", "probe", "pkgtool", "pkgtool (2)", "pcmcia", "path.py", "passwd (2)", "passwd", "OpenSSLConfigVersion.cmake", "options.py", "PROMPThelp", "openssl.pc", "openmachine.rc", "on__server.py", "on.py", "OpenSSLConfig.cmake", "obexstress", "nsswitch (2).conf", "nsswitch.conf", "nopartHELP (2)", "nopartHELP", "networks (2)", "networks", "network", "mux.py", "mtools (2).conf", "mtools.conf", "mtab (2)", "mtab", "motd (2)", "motd", "modules.pcimap", "modules.pnpbiosmap", "modules.parportmap", "modules.usbmap", "modules.isapnpmap", "modules.ieee1394map", "modules.generic_string", "modules.dep", "migrate (2).sh", "migrate.sh", "midx.py", "midx (2).py", "meta.py", "memtest.py", "margin.py", "makedevs (2).sh", "makedevs.sh", "metadata.py", "ls (2).py", "ls.py", "login (2).defs", "main.py", "login.defs", "list_idx.py", "libssl.pc", "libnm-wwan.la", "libnm-ppp-plugin.la", "libnm-device-plugin-wwan.la", "libnm-device-plugin-wifi.la", "libnm-device-plugin-team.la", "libnm-device-plugin-bluetooth.la", "libnm-device-plugin-ovs.la", "libnm-device-plugin-adsl.la", "libcrypto.pc", "libc6-i386_2.31-0ubuntu6_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.info", "libc6-i386_2.30-4_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "libc6-i386_2.30-4_amd64.info", "libc6-i386_2.30-4_amd64.symbols", "libc6-i386_2.30-0ubuntu2_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.info", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "libc6-i386_2.29-0ubuntu2_amd64.url", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "libc6-i386_2.29-0ubuntu2_amd64.info", "libc6-i386_2.28-10_amd64.url", "libc6-i386_2.28-10_amd64.info", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.info", "libc6-i386_2.27-3ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.url", "libc6-i386_2.26-0ubuntu2_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "libc6-i386_2.24-11+deb9u4_amd64.url", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.url", "libc6-i386_2.24-9ubuntu2_amd64.info", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.url", "libc6-i386_2.23-0ubuntu11_amd64.url", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.info", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "libc6-i386_2.23-0ubuntu11_amd64.info", "libc6-i386_2.23-0ubuntu10_amd64.url", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "libc6-i386_2.23-0ubuntu10_amd64.info", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "libc6-i386_2.23-0ubuntu3_amd64.info", "libc6-i386_2.21-0ubuntu4_amd64.url", "libc6-i386_2.23-0ubuntu3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.info", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "libc6-i386_2.19-18+deb8u10_amd64.url", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.info", "libc6-i386_2.19-10ubuntu2_amd64.url", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "libc6-i386_2.19-10ubuntu2_amd64.info", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "libc6-i386_2.17-93ubuntu4_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.info", "libc6-i386_2.17-0ubuntu5_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "libc6-i386_2.17-0ubuntu5_amd64.info", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "libc6-i386_2.15-0ubuntu20_amd64.url", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "libc6-i386_2.15-0ubuntu10_amd64.info", "libc6-i386_2.15-0ubuntu10_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.info", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.url", "libc6-i386_2.13-20ubuntu5_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "libc6-i386_2.13-0ubuntu13_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.url", "libc6-i386_2.9-4ubuntu6_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "libc6-i386_2.7-10ubuntu3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.info", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.info", "libc6-i386_2.4-1ubuntu12_amd64.url", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "libc6-i386_2.4-1ubuntu12_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "libc6-i386_2.5-0ubuntu14_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "ldd", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "ld.so (2).conf", "ld.so.conf", "join.py", "itl-logo (3).txt", "itl-logo (2).txt", "issue", "issue (2)", "io.py", "installpkg", "INSNFS (2)", "installpkg (2)", "INSNFS", "INShd", "INShd (2)", "INSfd (2)", "INSfd", "INSdir (2)", "INSdir", "INSCD", "INSCD (2)", "inittab (2)", "inittab", "init.py", "__init__ (2).py", "__init__.py", "index (2).py", "index.py", "import_duplicity.py", "hosts (2)", "hosts", "host (2).conf", "host.conf", "HOSTNAME", "hlinkdb.py", "help.py", "helpers.py", "HOSTNAME (2)", "hashsplit.py", "group (2)", "group", "gc (2).py", "git.py", "get.py", "gc.py", "fuse.py", "func.py", "fstab (2)", "fstab", "ftp.py", "fsck (2).ext2", "fsck (2).ext3", "fsck.ext3", "fsck.ext2", "fsck.py", "filesize", "features.py", "fdisk (2)", "fdisk", "FDhelp (2)", "FDhelp", "empty (3)", "empty (2)", "drecurse.py", "dialogrc", "dialogrc (2)", "disk2 (2)", "drecurse (2).py", "disk2", "damage.py", "daemon.py", "compat.py", "closemachine.rc", "checkout_info.py", "cfdisk (2)", "client.py", "cfdisk", "cat_file.py", "bup-import-rsnapshot", "bup-import-rdiff-backup", "brc (2)", "brc", "bloom (2).py", "bloom.py", "asyncrecv.rc", "90-nm-cloud-setup.sh", "vfs.py", "tree.py", "template-WaR2X6", "a1676298638", "a4033901479", ".X1-lock", ".X0-lock", ".X1024-lock", "b3336837578", "MozillaUpdateLock-7A4D7A8EFFB43502", "imurmurhash.min.js", ".X1025-lock", "murmur2", "b529967783", "empty.lock~", "ab.1", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 297, "email": 8, "hostname": 204, "URL": 382, "FileHash-SHA1": 7, "CVE": 2, "FileHash-MD5": 45, "FileHash-SHA256": 5 }, "indicator_count": 950, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661db37bf549518bf6f7f377", "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files", "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.", "modified": "2024-04-23T14:28:30.317000", "created": "2024-04-15T23:08:43.746000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e98dfeb9cc249b0de76eb0", "name": "Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence - Cado Security | Cloud Forensics Incident Response", "description": "", "modified": "2024-04-06T09:03:36.583000", "created": "2024-03-07T09:50:54.219000", "tags": [ "redis", "docker", "docker engine", "cado security", "apache hadoop", "confluence", "cron job", "c2 server", "labs", "cve202226134", "xmrig", "execution", "teamtnt", "python", "february", "tencent", "kinsing" ], "references": [ "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 9, "URL": 1, "domain": 3, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e8b5c4cdc5547cdbad932b", "name": "VTA - Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence", "description": "A new Linux malware campaign targeting web-facing services such as Docker, Apache Hadoop, Confluence and Redis has been discovered by Cado Security Labs, which is based in London.", "modified": "2024-04-05T18:04:00.136000", "created": "2024-03-06T18:28:20.019000", "tags": [ "redis", "docker", "docker engine", "cado security", "apache hadoop", "confluence", "cron job", "c2 server", "labs", "cve202226134", "execution", "teamtnt", "python", "february", "tencent", "kinsing", "docker api", "linux", "json" ], "references": [ "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Docker API", "display_name": "Docker API", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 339, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 7, "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 1, "domain": 3, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 252, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660bfbd11d2fb6837fd4de74", "name": "Malware Spotlight: Linodas aka DinodasRAT for Linux - Check Point Research", "description": "Check Point Research\u2019s Malware Spotlight: Linodas RAT for Linux. - a cross-platform remote access tool (RAT) based on the open-source project Gh0st.", "modified": "2024-04-02T12:36:33.437000", "created": "2024-04-02T12:36:33.437000", "tags": [ "linux", "c2 server", "dinodasrat", "linodas", "thread", "windows version", "os version", "windows", "check point", "method", "stop", "simpleremoter", "service", "info", "gh0st rat", "rats", "install", "persistence", "gh0st" ], "references": [ "https://research.checkpoint.com/2024/29676/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gh0st", "display_name": "Gh0st", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 1, "domain": 2, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "788 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "systemd-pcrfs@.service", "ibft-rule-generator", "SeTkeymap (2)", "shadow.service", "shutdown.target", "plasma-kwin_x11.service", "npm-dedupe.md", "network", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "fwupd-offline-update.service", "iscsi.service", "libc6-i386_2.13-0ubuntu13_amd64.url", "suricata-update.service", "virtproxyd-tls.socket", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "systemd.sr.catalog", "plasma-baloorunner.service", "INSfd (2)", "capsule.slice", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "npm-uninstall.md", "systemd-sysext.service", "sshuttle.service", "npm-access.md", "ld.so (2).conf", "libssl.pc", "systemd-battery-check.service", "systemd-portabled.service", "connect.php.001", "flatpak-oci-authenticator.service", "darkstat.service", "dbus-broker.catalog", "avahi-daemon.service", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "talk.service", "virtstoraged-admin.socket", "checkout_info.py", "timers.target", "systemd.it.catalog", "multi-user.target", "syslog.conf", "at-spi-dbus-bus.service", "telnet@.service", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.url", "drkonqi-coredump-pickup.service", "virtstoraged-ro.socket", "iscsid.service", "update-notifier.js", "modules.usbmap", "nss-lookup.target", "INSCD", "plasma-kwallet-pam.service", "wpa_supplicant-nl80211@.service", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "systemd-sysext@.service", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "min-satisfying.js", "gvfs-afc-volume-monitor.service", "runlevel5.target", "ldd", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "fluidsynth.service", "systemd-journald-dev-log.socket", "initrd-fs.target", "99-default.preset", "libvirtd-ro.socket", "systemd-vconsole-setup.service", "ip6tables.service", "systemd-bootctl.socket", "gssuserproxy.socket", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "gcr-ssh-agent.service", "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "SeTDOS (2)", ".zcompdump-m1904-5.9", "SeTkernel", "yate.service", "zfs-mount.service", "plasma-ksplash-ready.service", "npm-install-ci-test.md", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "lightdm.service", "eq.js", "npm-shrinkwrap-json.md", "start.js", "INSfd", "virtsecretd.socket", "systemd-pcrlock-machine-id.service", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "cache.js", "shells (2)", "cmd-list.js", "pkgfile-update.service", "README", "postgresql.service", "systemd-pcrextend.socket", "poweroff.target", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "sbom-spdx.js", "systemd-journald-varlink@.socket", "payload.php.003", "runlevel1.target", "systemd-sysusers.service", "test.js", "pipewire.service", "systemd-creds.socket", "drecurse.py", "preload.js", "package-spec.md", "zfs-volumes.target", "auth.js", "npm-ls.md", "gvfs-mtp-volume-monitor.service", "Crowdsourced IDS rules:", "pacrunner.service", "split.py", "systemd-udevd-kernel.socket", "wondershaper.service", "sunjava_map.xml", "configure-printer@.service", "mdmon@.service", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "systemd-growfs-root.service", "rc-local.service", "reverse_tcp.py", "compat.py", "systemd-hostnamed.socket", "open-url-prompt.js", "openssl.pc", "diff.js", "xplico.service", "systemd-ask-password-console.path", "update-workspaces.js", "libc6-i386_2.30-0ubuntu2_amd64.url", "major.js", "sshdgenkeys.service", "comparator.js", "fstab", "systemd-pcrfs-root.service", "systemd-pcrlock-secureboot-policy.service", "iterator.js", "p11-kit-server.socket", "systemd-rfkill.socket", "clamav-freshclam-once.timer", "xdg-desktop-portal-xapp.service", "cape-dist.service", "getty-pre.target", "systemd.pt_BR.catalog", "systemd-initctl.socket", "mysql.service", "mdadm-last-resort@.timer", "openvpn-server@.service", "systemd-poweroff.service", "npm-dist-tag.md", "nfsv4-exportd.service", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "wpa_supplicant-wired@.service", "pacman-filesdb-refresh.timer", "nvmf-connect@.service", "vint.py", "gpsd.socket", "systemd-pcrphase-sysinit.service", "SeTfull", "b3336837578", "talk.socket", "npm-usage.js", "iiod.service", "explain-eresolve.js", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "quotaon@.service", "libc6-i386_2.23-0ubuntu11_amd64.url", "npm-view.md", "sndiod.service", "modules.dep", "payload.php.002", "10-arch", "hv_vss_daemon.service", "npmrc.md", "libc6-i386_2.17-0ubuntu5_amd64.url", "gtr.js", "10-root.conf", "npm-install-test.md", "virtnwfilterd-admin.socket", "virtchd.socket", "uuidd.socket", "glib-pacrunner.service", "ll.js", "sysinit.target", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "tinc.service", "80-container-ve.network", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "libc6-i386_2.4-1ubuntu12_amd64.url", "securetty", "PROMPThelp", "pcscd.socket", "find-dupes.js", "90-nm-cloud-setup.sh", "systemd-localed.service", "client.py", "geoipupdate.service", "access.js", "remote-fs-pre.target", "virtqemud-ro.socket", "gvfs-gphoto2-volume-monitor.service", "systemd-hibernate.service", "sigpwr.target", "README.md", "mariadb-extra.socket", "replace-info.js", ".X1-lock", "nfsv4-server.service", "rasdaemon.service", "nvmf-connect.target", "libvirtd-tcp.socket", "finger@.service", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "uuidd.service", "package-lock-json.md", "ip2clued.service", "gvmd.service", "zfs.target", "coerce.js", "closemachine.rc", "modules.parportmap", "borgmatic.service", "motd (2)", "systemd-homed.service", "join.py", "reflector.service", "snmpd.service", "npm-prefix.md", "var-lib-machines.mount", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "Zercega \u2022 ootheca.pw", "npm-docs.md", "ostree-state-overlay@.service", "gpg-agent-ssh@.socket", "archlinux-keyring-wkd-sync.service", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "systemd.hu.catalog", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "libnm-device-plugin-wifi.la", "systemd-journald.service", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "epmd.service", "krb5-kdc.service", "openmachine.rc", "initrd-udevadm-cleanup-db.service", "eicar", "systemd-update-helper", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "podman-clean-transient.service", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "unstar.js", ".X1024-lock", "80-container-vb.network", "rm.py", "systemd-sysctl.service", "min-version.js", "root.js", "libc6-i386_2.24-11+deb9u4_amd64.info", "proc-fs-nfsd.mount", "stage2 (2)", "ls (2).py", "mariadb@.service", "initrd.target", "format-search-stream.js", "rebuild.js", "usb_modeswitch@.service", "gpg-agent-extra.socket", "npm-ci.md", "mdmonitor-oneshot.timer", "NetworkManager-dispatcher.service", "libc6-i386_2.19-10ubuntu2_amd64.url", "plasma-kscreen.service", "krb5-kpropd.service", "owner.js", "removepkg (2)", "npm.md", "Hunting_B64Engine_DotNetToJScript_Dos.yar", "60-flatpak", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "ELF contains segments with high entropy indicating compressed/encrypted content", "nvidia-resume.service", "virtproxyd.socket", "libc6-i386_2.17-93ubuntu4_amd64.url", "ftp.py", "rsyncd.socket", "resolv.conf", "systemd-storagetm.service", "dist-tag.js", ".zcompdump", "issue", "apparmor.service", "cli-entry.js", "systemd-random-seed.service", "yallist.js", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "netavark-dhcp-proxy.service", "wtmp", "clamav-daemon.socket", "satisfies.js", "libnm-device-plugin-bluetooth.la", "systemd-networkd-wait-online@.service", "pcscd.service", "plasma-gmenudbusmenuproxy.service", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "installed-deep.js", "color-support", "80-wifi-adhoc.network", "chkboot.service", "create_ap.service", "std (2)", "expl_cve_2021_40444.yar.001", "SeTpartitions", "display.js", "wireplumber.service", "systemd.be.catalog", "hostapd.service", "hv_fcopy_daemon.service", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "systemd-journald@.socket", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "registry.md", "hv_kvp_daemon.service", "greenbone-scapdata-sync.timer", "krb5-kadmind.service", "uksmd.service", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "qemu-guest-agent.service", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "phoromatic-server.service", "edit.js", "wireplumber@.service", "systemd-user-sessions.service", "postfix.service", "systemd-journal-gatewayd.service", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "cryptsetup-pre.target", "pamac-offline-upgrade.service", "npm-logout.md", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "nm-shared.xml", "inc.js", "borgmatic.timer", "systemd-timesyncd.service", "OpenSSLConfigVersion.cmake", "NetworkManager-ovs.conf", "apt_sandworm_exim_expl.yar.002", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "update.js", "libc6-i386_2.17-93ubuntu4_amd64.info", "plymouth-kexec.service", "systemd-pcrlock-firmware-code.service", "https://bi.zone/expertise/blog/zloumyshlenniki-ekspluatiruyut-uyazvimost-cve-2025-55182-v-atakakh-na-rossiyskie-kompanii/", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "mdmonitor.service", "search.js", "console-getty.service", "virtvboxd-ro.socket", "apache-tika.service", "drkonqi-sentry-postman.path", "drkonqi-coredump-processor@.service", "rpc_pipefs.target", "ostree-boot-complete.service", "runlevel2.target", "cups.service", "systemd-pstore.service", "gnome-terminal-server.service", "dbus.service", "SeTpasswd", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "network.target", "https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis", "virtlockd-admin.socket", "connect.php", "wacom-inputattach@.service", "cfdisk (2)", "gc.py", "passim.service", "libc6-i386_2.19-0ubuntu6_amd64.info", "git-daemon@.service", "kde-baloo.service", "paccache.timer", "cape-fstab.service", "systemd.be@latin.catalog", "midx (2).py", "virt-guest-shutdown.target", "systemd-hybrid-sleep.service", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "systemd-update-utmp-runlevel.service", "git.py", "options.py", "mkdirp", "sudo_logsrvd.service", "runlevel6.target", "graphical.target", "team.js", "payload.php.014", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "fsck (2).ext3", "systemd-time-wait-sync.service", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "storage-target-mode.target", "eicar.001", "pamac-daemon.service", "ppp@.service", "systemd-sysupdate-reboot.timer", "https://research.checkpoint.com/2024/29676/", "scope.md", "dhcpd6.service", "yara.pc", "systemd-pcrmachine.service", "rpcbind.target", "syslinux.cfg", "libc6-i386_2.30-4_amd64.info", "shells", "repo.py", "suricata.service", "gpg-agent-browser.socket", "rc.S", "systemd-soft-reboot.service", "hibernate.target", "systemd-resolved.service", "makedevs (2).sh", "slackinstall", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "xdg-document-portal.service", "capsule@.service", "npm-help-search.md", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "syslog.socket", "gpg-agent-ssh.socket", "networks (2)", "libc6-i386_2.19-10ubuntu2_amd64.info", "drkonqi-coredump-launcher.socket", "systemd-bootctl@.service", "systemd-userdbd.service", "npm-prune.md", "plasma-xdg-desktop-portal-kde.service", "adb.service", "auditd.service", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "hook.js", "systemd-tmpfiles-setup.service", "outdated.js", "container-getty@.service", "systemd-hibernate-resume.service", "rcompare.js", "greenbone-nvt-sync.timer", "expl_cve_2021_40444.yar.002", "init.js", "lynis.timer", "isnsd.socket", "nohang.service", "gpg-agent.socket", "MozillaUpdateLock-7A4D7A8EFFB43502", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "system-update-cleanup.service", "systemd-timedated.service", "systemd-repart.service", "xfce4-notifyd.service", "packagekit.service", "stdcrt (2)", "kingdee-erp-rce.yaml", "halt.target", "libvirtd-tls.socket", "SeTpasswd (2)", "connect.php.002", "hostapd@.service", "empty.lock~", "version.py", "systemd-userdbd.socket", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "fsck (2).ext2", "wg-quick.target", "mtab (2)", "systemd-hwdb-update.service", "deprecate.js", "nfs-mountd.service", "gssuserproxy.service", "npm-bugs.md", "unmigrate (2).sh", "virtvboxd.service", "styles.css", "elasticsearch-keystore@.service", "npm-hook.md", "libc6-i386_2.27-3ubuntu1_amd64.info", "Matches rule ET POLICY External IP Lookup ipinfo.io", "proc-sys-fs-binfmt_misc.mount", "zfs-scrub-weekly@.timer", "rm (2).py", "tag.py", "cpupower", "plasma-restoresession.service", "get.py", "qrcode-terminal", "systemd-pcrphase.service", "zgrep", "nvidia-suspend.service", "httpd.service", "freeradius.service", "npm-shrinkwrap.md", "systemd-networkd.socket", "capsule@.target", "systemd-bsod.service", "plasma-workspace.target", "libnm.pc", "plasma-core.target", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "systemd-reboot.service", "packagekit-offline-update.service", "tar.js", "rpcbind.socket", "vdecmd", "man-db.timer", "path.py", "initrd-root-fs.target", "LICENSE", "payload.php.012", "PROMPThelp (2)", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page", "telnet.socket", "SeTconfig (2)", "gssproxy.service", "dbus-org.freedesktop.login1.service", "20-systemd-userdb.conf", "libc6-i386_2.28-0ubuntu1_amd64.info", "payload.php.006", "rsh.socket", "nfs-blkmap.service", "logrotate.service", "systemd-pcrphase-initrd.service", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "iscsiuio.service", "systemd.ru.catalog", "SeTDOS", "audit.js", "SeTkeymap", "npm-link.md", "cape-rooter.service", "otplease.js", "bpftune.service", "reify-output.js", "memtest.py", "INSCD (2)", "empty", "suspend-then-hibernate.target", "tree.py", "dbus-broker-launch.catalog", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "rc.usb", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "npm-search.md", "arch-audit.timer", "vt100", "profile", "cups-lpd@.service", "suspend.target", "named.service", "range.bnf", "dirmngr.socket", "log-shim.js", "e2scrub_fail@.service", "mdadm-grow-continue@.service", "cups.socket", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "nfs-client.target", "dirmngr@etc-pacman.d-gnupg.socket", "80-container-vz.link", "debug-shell.service", "ci.js", "virtsecretd-ro.socket", "setdb.php", "shadow", "basic.target", "profile (2)", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "web.py", "integritysetup-pre.target", "virtnodedevd.service", "unpublish.js", "ostree-finalize-staged.path", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "plasma-dolphin.service", "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/#background", "quotaon-root.service", "profile.js", "systemd-tpm2-setup-early.service", "systemd-journal-remote.socket", "systemd-boot-random-seed.service", "cups.path", "libc6-i386_2.17-0ubuntu5_amd64.info", "tmp.mount", "INShd", "payload.php.013", "tinc@.service", "gpg-agent-extra@.socket", "on__server.py", "drkonqi-coredump-launcher@.service", "shadow (2)", "zfs-trim-weekly@.timer", "systemd-ask-password-console.service", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "alsa-state.service", "dbus.socket", "lvm2-lvmpolld.service", "zfs-volume-wait.service", "plasma-kded6.service", "cli.js", "systemd-importd.service", "libc6-i386_2.7-10ubuntu3_amd64.info", "rescan-scsi-bus", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "ls.py", "ras-mc-ctl.service", "btrfs-scrub@.timer", "systemd-sysext.socket", "gnome-keyring-daemon.socket", "config.md", "nfsdcld.service", "ModemManager.service", "import_duplicity.py", "80-vm-vt.network", "iwd.service", "func.py", "lxdm.service", "virtproxyd-ro.socket", "bmc-watchdog.service", "virtlockd.service", "i2pd.service", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "dm-event.socket", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "npm-diff.md", "libc6-i386_2.5-0ubuntu14_amd64.info", "prune.js", "log-file.js", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "runlevel0.target", "guac-web.service", "ssh.py", "iscsid.socket", "virtnwfilterd-ro.socket", "time-sync.target", "emergency.service", "custom.py", "cssesc", "services (2)", "85-nm-unmanaged.rules", "virtnwfilterd.service", "FDhelp (2)", "printer.target", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "pamac-cleancache.timer", "lxc-auto.service", "iodined.service", "brc (2)", "patch.js", "get.js", "autovt@.service", "systemd-coredump@.service", "nbd@.service", "first-boot-complete.target", "podman-kube@.service", "completion.sh", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "lvm2-monitor.service", "libc6-i386_2.23-0ubuntu10_amd64.info", "main.py", "help.js", "validate-engines.js", "group (2)", "fstrim.timer", "Yara detected: Xmrig cryptocurrency miner", "no_ads.txt", "plasma-powerdevil.service", "Contacted: 188.114.96.1 Domains Contacted dns.google", "zfs-zed.service", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "veritysetup-pre.target", "OpenSSLConfig.cmake", "Alerts: packer_unknown_pe_section_name script_tool_executed", "stars.js", "krb5-kpropd@.service", "rfkill-block@.service", "npm.js", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "virtlxcd-ro.socket", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "docs.js", "iscsiuio.socket", "arborist", "modprobe@.service", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "sslh-fork.service", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "updatedb.service", "systemd-ask-password-wall.service", "payload.php.007", "install-test.js", "session.slice", "wg-quick@.service", "getPerms.php", "plasma-xembedsniproxy.service", "nftables.service", "https://blog.xlab.qianxin.com/8220-k4spreader-new-tool-en/", "folders.md", "gpg-agent@etc-pacman.d-gnupg.socket", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "npm-token.md", "clash.service", "usbipd.service", "INSdir", "systemd-update-done.service", "initrd-parse-etc.service", "80-systemd-timesync.list", "bluetooth.service", "hosts", "imurmurhash.min.js", "greenbone-nvt-sync.service", "systemd-journald@.service", "90-systemd.preset", "org.js", "plasma-ksystemstats.service", "filesize", "rescue.service", "npm-edit.md", "INSdir (2)", "libc6-i386_2.28-0ubuntu1_amd64.url", "systemd-pcrlock.socket", "mdcheck_continue.timer", "arborist-cmd.js", "cups-lpd.socket", "fwupd-refresh.service", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "remote-cryptsetup.target", "queryable.js", "sddm.service", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "10-defaults.conf", "elasticsearch.service", "systemd-backlight@.service", "wpa_supplicant@.service", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "cntlm.service", "cpupower.service", "range.js", "syslinux (2).cfg", "keyboxd@.service", "asyncrecv.rc", "e2scrub@.service", "systemd-exit.service", "b.txt:ads.txt", "adsl.service", "initrd-switch-root.service", "systemd-logind.service", "libc6-i386_2.5-0ubuntu14_amd64.url", "systemd-hostnamed.service", "fwupd.service", "zfs-load-key.service", "version (2).py", "ltr.js", "ptunnel.service", "npm-unstar.md", "outside.js", "virtqemud.service", "plasma-krunner.service", "seatd.service", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.26-0ubuntu2_amd64.url", "get-workspaces.js", "systemd-journald-audit.socket", "gpg-agent-browser@.socket", "systemd-tmpfiles-clean.service", "ratholes@.service", "a1676298638", "xdg-desktop-portal-rewrite-launchers.service", "local-fs.target", "machines.target", "vpnc@.service", "parse.js", "systemd-homed-activate.service", "murmur2", "fwupd-refresh.timer", "nfs-server.service", "setup (2)", "virtvboxd.socket", "podman.socket", "systemd-sysupdate-reboot.service", "systemd-remount-fs.service", "e2scrub_reap.service", "vboxdrmclient.service", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "nmb.service", "systemd-udev-trigger.service", "removepkg", "host (2).conf", "libc6-i386_2.29-0ubuntu2_amd64.info", "SeTmedia", "simplify.js", "git-daemon.socket", "lynis.service", "SeTPKG", "init.py", "sort.js", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "system-systemd\\x2dveritysetup.slice", "SeTnopart", "lorem.txt", "clean.js", "HOSTNAME (2)", "nscd.service", "lxc-net.service", "exec.js", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "ipmiseld.service", "lte.js", "adduser.js", "gpm.service", "virtnodedevd-ro.socket", "server.py", "50-rc_keymap.conf", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "http://www.bing.lt/search?q=", "systemd-suspend.service", "snort@1000.service", "explore.js", "compare-build.js", "mariadb.socket", "query.js", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "npm-pkg.md", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "config.js", "dedupe.js", "systemd-halt.service", "systemd-quotacheck@.service", "systemd-ask-password-wall.path", "virtnetworkd.service", "npm-whoami.md", "xstat (2).py", "SeTmaketag", "pcmcia", "xrdp.service", "3proxy.conf", "libc6-i386_2.9-4ubuntu6_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "apt_sandworm_exim_expl.yar.001", "reboot.target", "modules.pnpbiosmap", "node-which", "SeTswap", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "cronie.service", "hybrid-sleep.target", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "man-db.service", "syslog (2).conf", "virtchd.service", "setup", "healthd.service", "systemd-pcrlock-secureboot-authority.service", "payload.php.017", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "FDhelp", "ostree-finalize-staged-hold.service", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "xdg-permission-store.service", "sendcmd.rc", "mysqld.service", "lvm2-lvmpolld.socket", "subset.js", "payload.php.016", "xdg-desktop-portal-hyprland.service", "mdadm.shutdown", "zfs-import.service", "desktop.ini", "ead.service", "apparmor.conf", "suricata-update.timer", "version.js", "plymouth-quit.service", "modules.isapnpmap", "libc6-i386_2.15-0ubuntu10_amd64.info", "list.php", "runlevel4.target", "makedevs.sh", "kcptun@.service", "systemd-rfkill.service", "inittab", "a4033901479", "canberra-system-shutdown.service", "ratholec@.service", "ssh-access.target", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "snort@.service", "NetworkManager-wait-online.service", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "smartcard.target", "80-container-vb.link", "virtnodedevd-admin.socket", "rathole@.service", "sslh-select.service", "doctor.js", "libc6-i386_2.30-4_amd64.symbols", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "clamav-unofficial-sigs.timer", "keyboxd@etc-pacman.d-gnupg.socket", "npm-root.md", "ostree-remount.service", "lt.js", "mkinitcpio-generate-shutdown-ramfs.service", "payload.php.001", "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet", "virtlogd-admin.socket", "index.js", "termcap", "virtnwfilterd.socket", "proc-sys-fs-binfmt_misc.automount", "udisks2.service", "minor.js", "pipewire-pulse.service", "blk-availability.service", "https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat", "pamac-cleancache.service", "systemd-pcrlock-make-policy.service", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "mariadb.service", "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/", "samba.service", "virtnetworkd-ro.socket", "ipmidetectd.service", "20-systemd-ssh-proxy.conf", "npm-cache.md", "hashsplit.py", "completion.js", "modules.ieee1394map", "star.js", "SeTpartitions (2)", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "podman-restart.service", "libc6-i386_2.19-18+deb8u10_amd64.info", "explain-dep.js", "publish.js", "motd", "geoipupdate.timer", "???? ????????.txt", "libc6-i386_2.21-0ubuntu4_amd64.url", "neo4j.service", "NetworkManager.service", "libc6-i386_2.9-4ubuntu6_amd64.url", "systemd-binfmt.service", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "run-script.js", "dbus-org.freedesktop.timedate1.service", "npm-org.md", "nopartHELP (2)", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "neq.js", "timers.js", "cmp.js", "50-zfs.preset", "systemd-journal-upload.service", "install.js", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "systemd-ask-password-plymouth.service", "npm-update.md", "libc6-i386_2.23-0ubuntu11_amd64.info", "install.md", "default.target", "npx.md", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "clamav-unofficial-sigs.service", "installpkg (2)", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "view.js", "gpm.path", "dirmngr@.service", "INShd (2)", "rdnssd@.service", "virtlxcd.service", "fancontrol.service", "systemd-networkd.service", "migrate.sh", "sshd.service", "thunar.service", "logrotate.timer", "systemd.hr.catalog", "get-identity.js", "zfs-trim@.service", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "usb-gadget.target", "systemd-volatile-root.service", "eicar.txt", "clamav-daemon.service", "celery2@.service", "npm-run-script.md", "dev-hugepages.mount", "a.txt:ads.txt", "elasticsearch-keystore.service", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "defaults.conf", "midx.py", "libc6-i386_2.28-10_amd64.url", "parent.php", "rc.inet1", "__init__.py", "nfs-utils.service", "system-systemd\\x2dcryptsetup.slice", "libvirtd.service", "memavaild.service", "dbus-org.freedesktop.machine1.service", "machine.slice", "virtproxyd.service", "keyboxd@.socket", "pulseaudio.socket", "systemd-quotacheck-root.service", "usbmuxd.service", "systemd-fsck@.service", "brc", "libnm.la", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "80-wifi-ap.network.example", "arcolinux-graphical-target.service", "final.target", "SeTmedia (2)", "systemd-update-utmp.service", "virtproxyd-tcp.socket", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.url", "avahi-daemon.socket", "udp2raw@.service", "npm-outdated.md", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "modules.generic_string", "features.py", "virtinterfaced-ro.socket", "pacman-filesdb-refresh.service", "fsck.py", "sys-kernel-tracing.mount", "umount.target", "80-ethernet.network.example", "sys-kernel-debug.mount", ".X0-lock", "lxc.service", "libc6-i386_2.13-20ubuntu5_amd64.url", "80-vm-vt.link", "open-url.js", "npm-help.md", "libc6-i386_2.24-3ubuntu1_amd64.url", "fsck.ext3", "quotaon.service", "nm-priv-helper.service", "dbus-org.freedesktop.import1.service", "rescue.target", "save.py", "npm-find-dupes.md", "SeTfull (2)", "mdadm-last-resort@.service", "virtlogd.socket", "SeTkernel (2)", "sbom-cyclonedx.js", "format-bytes.js", "empty (3)", "README (2)", "nm-cloud-setup.timer", "virtnodedevd.socket", "dbus-broker.service", "e2scrub_all.timer", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "atftpd.service", "nvidia-hibernate.service", "systemd-creds@.service", "privoxy.service", "greenbone-certdata-sync.service", "gnupg-pkcs11-scd-proxy.service", "link.js", "blockdev@.target", "scripts.md", "libc6-i386_2.19-0ubuntu6_amd64.url", "gt.js", "base-command.js", "re.js", "npm-sbom.md", "std", "npm-audit.md", "systemd.zh_TW.catalog", "epmd.socket", "login (2).defs", "libyara.la", "iptables.service", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "index (2).py", "rpc-gssd.service", "sbom.js", "lxc-monitord.service", "explain.js", "npm-start.md", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "mux.py", "30-root-verity-sig.conf", "sleep.target", "is-windows.js", "systemd-boot-check-no-failures.service", "systemd-confext.service", "plasma-powerprofile-osd.service", "rpc-statd.service", "nfs-idmapd.service", "chkboot-bootcheck", "systemd-oomd.service", "virtlxcd.socket", "greenbone-feed-sync.service", "greenbone-scapdata-sync.service", "systemd-homed-firstboot.service", "npm-ping.md", "probe (2)", "unmigrate.sh", "package.json", "libc6-i386_2.24-3ubuntu1_amd64.info", "migrate (2).sh", "ndctl-monitor.service", "systemd-networkd-persistent-storage.service", "plasma-polkit-agent.service", "nss-user-lookup.target", "hlinkdb.py", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "systemd-journald.socket", "geoclue.service", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "dbus-org.freedesktop.portable1.service", "89-ethernet.network.example", "npm-explore.md", "gte.js", "libc6-i386_2.21-0ubuntu4_amd64.info", "prerelease.js", "ab.1", "vt100 (3)", "systemd-pcrlock-firmware-config.service", "notes.txt", "validate-lockfile.js", "dunst.service", "libc6-i386_2.23-0ubuntu10_amd64.url", "package-json.md", "scanner.php", "svnserve.service", "libnm-wwan.la", "canberra-system-bootup.service", "slackinstall (2)", "clash@.service", "20-root-verity.conf", "daemon.py", "source_info.py", "npm-unpublish.md", "hosts (2)", "vt300 (2)", "login.defs", "libnm-device-plugin-adsl.la", "plymouth-poweroff.service", "plymouth-read-write.service", "podman-auto-update.service", "fsck.ext2", "borgmatic-user.service", "autorandr-lid-listener.service", "exabgp.service", "payload.php.015", "nvmf-autoconnect.service", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "soft-reboot.target", "systemd-suspend-then-hibernate.service", "drkonqi-sentry-postman.timer", "identifiers.js", "systemd-machine-id-commit.service", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "xfs_scrub_fail@.service", "semver.js", "virtchd-ro.socket", "dirmngr.service", "systemd-udevd.service", "constants.js", "disk2 (2)", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "npm-install.md", "systemd-oomd.socket", "virtchd-admin.socket", "p11-kit-server.service", "drecurse (2).py", "upower.service", "bluetooth.target", "tlp.service", "network-pre.target", "login.js", "to-comparators.js", "gpsd.service", "sys-kernel-config.mount", "80-auto-link-local.network.example", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "systemd-growfs@.service", "zfs-import.target", "avahi-dnsconfd.service", "veritysetup.target", "uninstall.js", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "libc6-i386_2.26-0ubuntu2_amd64.info", "nsswitch (2).conf", "smb.service", "local-fs-pre.target", "plymouth-quit-wait.service", "payload.php", "rsyncd.service", "logging.md", "vboxservice.service", "systemd-bless-boot.service", "reflector.timer", "npm-init.md", "npm-version.md", "gpsdctl@.service", "npm-star.md", "read-user-info.js", "networks", "systemd-journal-remote.service", "libc6-i386_2.31-0ubuntu6_amd64.url", "payload.php.005", "flatpak-session-helper.service", "rsh@.service", "paths.target", "itl-logo (2).txt", "npm-test.md", "systemd-journal-gatewayd.socket", "payload.php.004", "systemd-coredump.socket", "virtstoraged.socket", "factory-reset.target", "rabbitmq.service", "stage2", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "rpc-statd-notify.service", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "ld.so.conf", "npm-rebuild.md", "bugs.js", "integritysetup.target", "getty@.service", "user-runtime-dir@.service", "nbd.service", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "virtproxyd-admin.socket", "libc6-i386_2.7-10ubuntu3_amd64.url", "partimaged.service", "template-WaR2X6", "npm-config.md", "getty.target", "bup-import-rsnapshot", "krb5-kpropd.socket", "gvfs-daemon.service", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations", "initrd-cleanup.service", "xdg-desktop-autostart.target", "nvidia-persistenced.service", "systemd-kexec.service", "cape-processor.service", "mongodb.service", "pipewire.socket", "https://sysdig.com/blog/attacker-exploits-misconfigured-ai-tool-to-run-ai-generated-payload/", "systemd-quotacheck.service", "SeTfdHELP", "sensord.service", "90-nm-thunderbolt.rules", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "boot-complete.target", "phoronix-result-server.service", "auth-rpcgss-module.service", "virtlockd.socket", "token.js", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "ufw.service", "shquote.py", "emergency.target", "iscsi-init.service", "initrd-usr-fs.target", "b529967783", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "debug.js", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "systemd-sysupdate.timer", "background.slice", "ping.js", "__init__ (2).py", "redis-sentinel.service", "npm-pack.md", "install-ci-test.js", "plymouth.conf", "gpg-agent.service", "bettercap.service", "zfs-scrub-monthly@.timer", "systemd-tmpfiles-clean.timer", "fdisk", "intersects.js", "fsidd.service", "expl_cve_2021_40444.yar", "libc6-i386_2.15-0ubuntu20_amd64.url", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "rc.ieee1394", "npm-stop.md", "clamav-freshclam-once.service", "openvpn-client@.service", "reify-finish.js", "npm-publish.md", "99-default.link", "xstat.py", "flatpak-portal.service", "repo.js", "plasma-workspace-x11.target", "mariadb@.socket", "random.py", "stunnel.service", "zfs-share.service", "plymouth-switch-root-initramfs.service", "nm-cloud-setup.service", "libc6-i386_2.4-1ubuntu12_amd64.info", "virtqemud-admin.socket", "dialogrc (2)", "celery@.service", "error-message.js", "updatedb.timer", "betterlockscreen@.service", "mdcheck_continue.service", "tick.py", "meta.py", "libc6-i386_2.23-0ubuntu3_amd64.info", "winbind.service", "setdb.php.001", "package-url-cmd.js", "stop.js", "npm-profile.md", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "virtnetworkd-admin.socket", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks", "systemd.bg.catalog", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "libcrypto.pc", "nm-pppd-plugin.la", "workspaces.md", "rsort.js", "systemd-pcrlock-file-system.service", "keyboxd.service", "bolt.service", "colord-session.service", "80-wifi-station.network.example", "single.php", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "ssh-agent.service", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "list_idx.py", "84-nm-drivers.rules", "libc6-i386_2.28-10_amd64.info", "network-online.target", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "plasma-workspace-wayland.target", "vboxdrmclient.path", "cxl-monitor.service", "SeTnopart (2)", "shrinkwrap.js", "system-update.target", "clamav-clamonacc.service", "docker.service", "slices.target", "ldconfig.service", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "exit-handler.js", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "vfs.py", "netdata.service", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", "e2scrub_all.service", "pulse-till-done.js", "ctrl-alt-del.target", "teamd@.service", "plymouth-halt.service", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "gpg-agent@.service", "zfs-trim-monthly@.timer", "passwd (2)", ".X1025-lock", "compare-loose.js", "io.py", "nvidia-powerd.service", "virtinterfaced.service", "xrdp-sesman.service", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "pulseaudio.service", "autorandr.service", "ostree-prepare-root.service", "mdmonitor-oneshot.service", "sslh.service", "sound.target", "unbound.service", "libc6-i386_2.29-0ubuntu2_amd64.url", "btrfs-scrub@.service", "mdcheck_start.timer", "lastlog2-import.service", "HOSTNAME", "initrd-switch-root.target", "pam_namespace.service", "runlevel3.target", "podman-auto-update.timer", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "probe", "systemd.pl.catalog", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "libc6-i386_2.15-0ubuntu20_amd64.info", "rlogin@.service", "systemd-pcrlock@.service", "tumblerd.service", "cfdisk", "systemd-journal-flush.service", "kmod-static-nodes.service", "plasma-kcminit.service", "zfs-import-scan.service", "systemd-pcrextend@.service", "60-flatpak-system-only", "systemd-vmspawn@.service", "pacote", "nvmefc-boot-connections.service", "plasma-kwin_wayland.service", "systemd-networkd-wait-online.service", "libc6-i386_2.24-9ubuntu2_amd64.url", "netavark-dhcp-proxy.socket", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "libc6-i386_2.13-20ubuntu5_amd64.info", "xdg-user-dirs-update.service", "plasma-kscreen-osd.service", "xfs_scrub@.service", "virtnetworkd.socket", "daxdev-reconfigure@.service", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "cape-web.service", "alsa-restore.service", "npm-adduser.md", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "mtab", "systemd-ask-password-plymouth.path", "completion.fish", "systemd.catalog", "systemd-journal-catalog-update.service", "guacd.service", "canberra-system-shutdown-reboot.service", "plasma-kglobalaccel.service", "colord.service", "empty (2)", "systemd.da.catalog", "eicar.002", "wpa_supplicant.service", "libnm-device-plugin-ovs.la", "damage.py", "help.py", "termcap (2)", "tinyproxy.service", "notes.txt:ads", "virtlogd.service", "polkit.service", "npm-doctor.md", "cat_file.py", "app.slice", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "metadata.py", "fstab (2)", "systemd.de.catalog", "dbus-org.freedesktop.hostname1.service", "virtsecretd.service", "plasma-ksmserver.service", "systemd-network-generator.service", "pkgfile-update.timer", "dir:ads.txt", "zfs-scrub@.service", "containerd.service", "slapd.service", "SeTPKG (2)", "vt300", "itl-logo.txt", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "libvirtd.socket", "dialogrc", "mariadb-extra@.socket", "swap.target", "tlp", "npm-fund.md", "npm-repo.md", "group", "rsyncd@.service", "shadow.timer", "gvfs-metadata.service", "npm-owner.md", "lm_sensors.service", "itl-logo (3).txt", "ntpd.service", "exit.target", "systemd.ko.catalog", "greenbone-certdata-sync.timer", "xfs_scrub_all.timer", "dnsmasq.service", "libc6-i386_2.13-0ubuntu13_amd64.info", "payload.php.010", "snmptrapd.service", "elasticsearch@.service", "fund.js", "isnsd.service", "fstrim.service", "ls.js", "dm-event.service", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "dconf.service", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "dhcpd4.service", "Zercega \u2022 IPv4 84.54.51.82", "plasma-plasmashell.service", "plymouth-start.service", "libc6-i386_2.24-9ubuntu2_amd64.info", "libc6-i386_2.31-0ubuntu6_amd64.info", "graphical-session-pre.target", "iptables-flush", "fuse.py", "virtlxcd-admin.socket", "libnm-device-plugin-wwan.la", "iodined.socket", "dirmngr@.socket", "virtinterfaced.socket", "pkgtool", "margin.py", "libc6-i386_2.30-0ubuntu2_amd64.info", "drkonqi-coredump-cleanup.timer", "SeTswap (2)", "smartd.service", "gvfs-udisks2-volume-monitor.service", "issue (2)", "installed-package-contents", "rwhod.service", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "virtsecretd-admin.socket", "pkgtool (2)", "xsettingsd.service", "dbus-org.freedesktop.locale1.service", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "npmrc", "systemd-fsck-root.service", "SeTmaketag (2)", "bup-import-rdiff-backup", "zfs-import-cache.service", "paccache.service", "greenbone-feed-sync.timer", "INSNFS", "restore.py", "host.conf", "plymouth-switch-root.service", "plymouth-reboot.service", "libvirtd-admin.socket", "bloom.py", "opensnitchd.service", "borgmatic-user.timer", "initrd-root-device.target", "apt_sandworm_exim_expl.yar", "keyboxd.socket", "cryptsetup.target", "on.py", "securetty (2)", "libc6-i386_2.15-0ubuntu10_amd64.url", "ly.service", "systemd.fr.catalog", "archlinux-keyring-wkd-sync.timer", "Zercega \u2022 multi-user.target", "helpers.py", "developers.md", "a.txt", "stdcrt", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "systemd-machined.service", "80-iwd.link", "var-lib-nfs-rpc_pipefs.mount", "ananicy-cpp.service", "audit-error.js", "remote-fs.target", "jack@.service", "modules.pcimap", "fastnetmon.service", "input.pcap", "80-container-ve.link", "systemd-sysupdate.service", "set.js", "phoromatic-client.service", "systemd-tmpfiles-setup-dev.service", "remote-veritysetup.target", "vmtoolsd.service", "obexstress", "dmraid.service", "sockets.target", "dnscrypt-proxy.service", "did-you-mean.js", "systemd-firstboot.service", "npm-exec.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", "passwd", "logout.js", "audit-rules.service", "compare.js", "dependency-selectors.md", "help-search.js", ".:ads.txt", "prune_older.py", "drkonqi-coredump-cleanup.service", "systemd-udevd-control.socket", "gcr-ssh-agent.socket", "empty.exe", "user.slice", "glob", "services", "mtools (2).conf", "systemd-boot-update.service", "nopartHELP", "npm-login.md", "systemd.zh_CN.catalog", "nvidia", "npm-completion.md", "npm-query.md", "search.php", "clamav-freshclam.service", "nohang-desktop.service", "gpg-agent@.socket", "https://www.ctfiot.com/287443.html", "removal.md", "installed-shallow.js", "virtstoraged.service", "drkonqi-sentry-postman.service", "dev-mqueue.mount", "kcptun-server@.service", "libnm-device-plugin-team.la", "pipewire-pulse.socket", "virtinterfaced-admin.socket", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "80-container-host0.network", "systemd-modules-load.service", "kio-fuse.service", "Win.Malware.Salat-10058846-0", "xfs_scrub_all.service", "ftpd.service", "pwdgrp.py", "b.txt", "plasma-kcminit-phase1.service", "Yara Detections: MacSync_AppleScript_Stealer", "redis.service", "sys-fs-fuse-connections.mount", "plasma-ksplash.service", "user@.service", "payload.php.009", "graphical-session.target", "systemd-tpm2-setup.service", "whoami.js", "web-auth.js", "podman.service", "restart.js", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "payload.php.011", "crypto-miner.js", "libc6-i386_2.30-4_amd64.url", "SeTfdHELP (2)", "rlogin.socket", "80-container-vz.network", "orgs.md", "systemd-nspawn@.service", "80-6rd-tunnel.network", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "INSNFS (2)", "rpcbind.service", "index.py", "arch-audit.service", "rtkit-daemon.service", "npm-team.md", "docker.socket", "lifecycle-cmd.js", "max-satisfying.js", "stage2 (3)", "tracker-xdg-portal-3.service", "tpm2.target", "payload.php.008", "prefix.js", "flatpak-system-helper.service", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "npm-stars.md", "libnm-ppp-plugin.la", "pkg.js", "cape.service", "libc6-i386_2.23-0ubuntu3_amd64.url", "disk2", "tor.service", "accounts-daemon.service", "nvmf-connect-nbft.service", "finger.socket", "nsswitch.conf", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "ntpdate.service", "mtools.conf", "systemd-tmpfiles-setup-dev-early.service", "npm-restart.md", "virtvboxd-admin.socket", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "systemd-zram-setup@.service", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "filter-chain.service", "mdcheck_start.service", "SeTconfig", "ostree-finalize-staged.service", "xdg-desktop-portal.service", "bloom (2).py", "gc (2).py", "pack.js", "time-set.target", "pulseaudio-x11.service", "xdg-desktop-portal-gtk.service", "kexec.target", "plasma-kded.service", "fdisk (2)", "10-login-barrier.conf", "couchdb.service", "libvirt-guests.service", "vmware-vmblock-fuse.service", "x.jnlp", "lxc@.service", "gnome-keyring-daemon.service", "parse-options.js", "inittab (2)", "3proxy.service", "system-update-pre.target", "meta.com \u2022 meta.com.apple", "rfkill-unblock@.service", "installpkg", "systemd-initctl.service", "80-6rd-tunnel.link", "fwupd.shutdown", "/etc/systemd/system/geomi.service File type: ASCII text", "dhclient@.service", "reader.php", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "serial-getty@.service", "libc6-i386_2.24-11+deb9u4_amd64.url", "xl2tpd.service", "SUSE-mdadm_env.sh", "virtqemud.socket", "valid.js" ], "related": { "alienvault": { "adversary": [ "8220 Mining Gang" ], "malware_families": [ "Tsunami", "Zergeca", "K4spreader", "Pwnrig", "Zynorrat" ], "industries": [] }, "other": { "adversary": [ "Lazarus", "Chinese Speaking", "Springtail" ], "malware_families": [ "Alf:jasyp:trojandownloader:win32/smallagent!", "Springtail", "Cve-2023-22518", "Linux", "Cve-2014-2321", "Botnet", "Win.trojan.tofsee-7102058-0\tbackdoor:win32/tofsee.t", "Remainafterexit", "Kretprobe", "Cve-2025-20393", "Gh0st", "Zergeca", "Beavertail", "Endoor", "Worm:win32/autorun!atmn", "Mirai", "Docker api", "Nmbdoptions", "Troll", "Threat intelligence", "Zynorrat", "Json", "Win.malware.salat-10058846-0", "Autoit", "Javascript", "Successaction", "Cve-2018-10562", "Cobalt strike", "Winbindoptions", "Smbdoptions", "Vshell", "Linkpro", "Cve-2024-6387", "Win.trojan.emotet-9850453-0", "Gobear windows", "Windows", "Gobear" ], "industries": [ "Iot", "Government", "Academics", "Military", "Journalists" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 32, "pulses": [ { "id": "68c12ec5eb851e4417b21f49", "name": "ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT", "description": "ZynorRAT is a newly discovered Go-based Remote Access Trojan that provides a full suite of command and control capabilities for Linux and Windows systems. It was first identified in July 2025 and is believed to be of Turkish origin. The malware uses Telegram as its C2 infrastructure and offers features such as file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution. The Linux version is fully functional, while the Windows version appears to be in early development. The malware's author seems to be actively working on improving its detection avoidance. ZynorRAT's capabilities include discovery, exfiltration, persistence, and remote code execution on victim machines.", "modified": "2025-10-10T07:04:17.642000", "created": "2025-09-10T07:54:45.330000", "tags": [ "remote access trojan", "zynorrat", "go-based", "turkish", "linux", "telegram", "windows", "c2" ], "references": [ "https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ZynorRAT", "display_name": "ZynorRAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66881254e482093db1d6f9ba", "name": "New Threat: A Deep Dive Into the Zergeca Botnet", "description": "An analysis of a newly discovered botnet named Zergeca, implemented in Go language, with capabilities for DDoS attacks, proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. The report delves into the botnet's unique features, including its multi-DNS resolution methods, encrypted communication protocol, and connection to a previously used IP address associated with Mirai botnets. The analysis covers sample detection, infrastructure details, reverse engineering findings, and provides insights into the author's techniques and expertise.", "modified": "2024-08-04T15:04:12.123000", "created": "2024-07-05T15:33:40.475000", "tags": [ "zergeca", "ddos", "botnet", "cve-2018-10562", "persistence", "go", "cve-2018-10561", "cve-2016-20016", "cve-2022-35733", "cve-2017-17215" ], "references": [ "https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Germany" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 342, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 386509, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683b8b3d2bafff519c4d24e", "name": "Mining Gang's New Tool: k4spreader", "description": "QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:22:11.082000", "tags": [ "mining", "botnet", "tsunami", "pwnrig", "spreader", "k4spreader" ], "references": [ "https://blog.xlab.qianxin.com/8220-k4spreader-new-tool-en/" ], "public": 1, "adversary": "8220 Mining Gang", "targeted_countries": [], "malware_families": [ { "id": "k4spreader", "display_name": "k4spreader", "target": null }, { "id": "Tsunami", "display_name": "Tsunami", "target": null }, { "id": "PwnRig", "display_name": "PwnRig", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 350, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 9, "FileHash-SHA256": 8, "URL": 13, "domain": 4, "hostname": 7 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 386508, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac90f5b7cde86d323464", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:24.654000", "created": "2026-05-27T08:34:24.654000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16ac89787e428fe0f7b045", "name": "[\"backup ios...\"] clone by Merkd1904. User note: theres a name tagged here thats interesting", "description": "", "modified": "2026-05-27T08:34:17.204000", "created": "2026-05-27T08:34:17.204000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "661db37bf549518bf6f7f377", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d586108786e7be59439809", "name": "Bot.io", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:32:48.996000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": "69d5859750dfad7fe7989ef4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5859750dfad7fe7989ef4", "name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer", "description": "", "modified": "2026-05-07T21:06:09.549000", "created": "2026-04-07T22:30:47.312000", "tags": [ "added active", "related pulses", "found", "zergeca botnet", "zergeca", "upx packer", "khtml", "gecko", "united", "ids detections", "yara detections", "https domain", "tls sni", "ip lookup", "external ip", "malware", "encrypt", "techniques", "modify system", "process", "https", "performs dns", "tls version", "reads cpu", "proc indicative", "urls", "downloads", "persistence", "data upload", "extraction", "find s", "failed", "typ don", "ipv4 url", "canreb", "type ipv4", "url domail", "domail showing", "elf conta", "typ url", "zercega", "enter sc", "type", "include", "review", "n1 exclude", "suggestedincc", "a50 typ", "ipv4", "matches yara", "dete data", "yara detectea", "cro intormation", "exclude sugges", "sc car", "extra lte", "referen", "l extraction", "droo anv", "extr referen", "lte all", "je matches", "yara detel", "yara dete", "include review", "exchange lte", "je elf", "passive dns", "certificate", "files", "trojan", "related tags", "worm", "medium", "write c", "write", "high", "binary", "yara rule", "default", "moved", "schaan", "as834 ipxo", "dynamicloader", "program", "ee fc", "users", "ff d5", "python", "windows", "autoit", "confuserex", "stream", "guard", "launcher", "updater", "global", "america flag", "ashburn", "america related", "tags", "indicator facts", "historical otx", "controller fake", "akamai rank", "russia", "present nov", "aaaa", "link", "a domains", "ip address", "meta", "cve -2014-2321", "handle", "address range", "cidr", "network name", "allocation type", "pa status", "whois server", "included iocs", "manually add", "iocs o", "iocs", "sugges", "stop show", "types", "external", "ripe", "pa abusec", "neterra", "sofia", "bulgaria phone", "filtered person", "neven dilkov", "bg phone", "filtered route", "a5ip", "aa2023", "aamirai", "a2scanner", "apple inc", "issuer", "valid", "algorit", "thum", "name", "a9 a8", "status", "macho", "macho 64bit", "mac os", "x macho", "intel", "typ no", "td td", "td tr", "a td", "dynamic dns", "date", "name servers", "arial", "error", "null", "enough", "hosts", "win32", "fast", "contacted", "MacSync_AppleScript_Stealer", "cve-2018-10562", "source", "roboto", "robotodraft", "helvetica", "iframe", "manually ada", "review iocs", "abv0", "qaeaav0", "cptbdev", "w4uninitialized", "qaeaav01", "abv01", "qaexn", "qbenxz", "phoneidentify", "qbepaxxz" ], "references": [ "https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org", "IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com", "Zercega \u2022 IPv4 84.54.51.82", "Zercega \u2022 http://bot.hamsterrace.space:5966/", "Zercega \u2022 multi-user.target", "Zercega \u2022 ootheca.pw", "CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393", "Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS rules:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.", "Yara detected: Xmrig cryptocurrency miner", "Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance", "meta.com \u2022 meta.com.apple", "geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63", "ELF contains segments with high entropy indicating compressed/encrypted content", "/etc/systemd/system/geomi.service File type: ASCII text", "http://www.bing.lt/search?q=", "Win.Malware.Salat-10058846-0", "Yara Detections: MacSync_AppleScript_Stealer", "Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara", "Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process", "Alerts: resumethread_remote_process enumerates_running_processes reads_self", "Alerts: packer_unknown_pe_section_name script_tool_executed", "Alerts: queries_computer_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry", "Contacted: 188.114.96.1 Domains Contacted dns.google", "distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T", "target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "CVE-2014-2321", "display_name": "CVE-2014-2321", "target": null }, { "id": "Botnet", "display_name": "Botnet", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1871, "domain": 393, "hostname": 925, "FileHash-MD5": 391, "FileHash-SHA1": 390, "FileHash-SHA256": 2452, "CVE": 1, "SSLCertFingerprint": 1, "email": 4, "CIDR": 1 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6952635ab96902a7f72b2869", "name": "Attackers exploit CVE-2025-55182 vulnerability in attacks on Russian companies", "description": "Recent cyber attacks against Russian companies have exploited the CVE-2025-55182 vulnerability, primarily targeting the React2Shell framework to facilitate various malicious activities. These attacks predominantly involved the deployment of the XMRig cryptocurrency miner among other malicious payloads, including backdoors and botnets.\n\nIn specific attack cases, adversaries gained control over compromised hosts running containerized environments. They executed several commands upon leveraging the React2Shell vulnerability. For instance, reconnaissance activities included running Base64 encoded commands to gather information about the compromised systems, showcasing the attackers' intent to extend their control and gather intelligence before deploying further operations.", "modified": "2026-01-28T11:02:28.156000", "created": "2025-12-29T11:17:46.058000", "tags": [ "bash", "xmrig", "elf64", "vshell", "react2shell", "base64", "etherrat", "xmrig http", "cve202555182", "kaiji", "sliver", "cobalt strike", "apache", "root", "service", "install", "rust", "ares", "shell", "systemd", "team", "macos", "powershell", "arcane", "werewolf", "loki", "cookie", "xmrig miner", "bash script", "elf32", "tactical rmm", "kaiji botnet", "crossc2 cobalt", "xmrig mining", "c2the rustobot", "distribution" ], "references": [ "https://bi.zone/expertise/blog/zloumyshlenniki-ekspluatiruyut-uyazvimost-cve-2025-55182-v-atakakh-na-rossiyskie-kompanii/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 43, "URL": 53, "domain": 8, "hostname": 13 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6947af2d6bc68eb38075e3a5", "name": "APT36 sample analysis", "description": "APT36 has been observed utilizing two distinct methods to execute malware on Linux and Windows platforms, focusing on the distribution of malicious files disguised as legitimate documents.\n\nOn Linux, the attack begins with the creation of a `.local` directory with specific permissions (0755), followed by downloading three files from a target URL: `gkt3.1`, `http://gkt3.sh`, and `APPL FOR UPDATION.pdf`. The `http://gkt3.sh` script is executed after this download, which subsequently utilizes the `xdg-open` command to open the PDF file, potentially leading to further exploitation or malware execution.\n\nConversely, on Windows platforms, APT36 employs a malicious shortcut (LNK file) named `APPL FOR UPDATION OF NAME BASED & OFFICIAL NIC E-MAIL ID.pdf.LNK`. This file initiates the execution of embedded code through the use of the `mshta.exe` tool, a legitimate Windows system application.", "modified": "2026-01-20T08:04:26.478000", "created": "2025-12-21T08:26:21.188000", "tags": [ "windows", "powershell", "apt36", "linux", "appl for", "shell", "listdrives", "userprofile", "post", "official nic", "grabber", "service", "install", "python", "hello", "push", "hosts", "runfile", "orpcbackdoor", "konni", "muddywater" ], "references": [ "https://www.ctfiot.com/287443.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" } ], "industries": [ "IoT", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "CVE": 1, "FileHash-MD5": 17, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "URL": 7 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69395510912ec76473ed9501", "name": "EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig", "description": "", "modified": "2026-01-09T11:02:53.662000", "created": "2025-12-10T11:10:08.734000", "tags": [ "etherrat", "react2shell", "dprk", "december", "cve202555182", "rscs", "sysdig trt", "cobalt strike", "stage", "ethereum rpc", "sliver", "powershell", "vshell", "xmrig", "shell", "hunt" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "CVE": 1, "domain": 2, "hostname": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "network.target", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "network.target", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223418.5123234 }