{
"type": "Domain",
"indicator": "nginx.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/nginx.com",
"alexa": "http://www.alexa.com/siteinfo/nginx.com",
"indicator": "nginx.com",
"type": "domain",
"type_title": "Domain",
"validation": [
{
"source": "majestic",
"message": "Whitelisted domain nginx.com",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 2138371625,
"indicator": "nginx.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69b4976f33b3aeaa0fb81c6c",
"name": "Spam DarkWatchman - Christopher P Ahmann | Palantir/ Foundry | | Deleting IoCs ",
"description": "",
"modified": "2026-03-13T23:02:07.162000",
"created": "2026-03-13T23:02:07.162000",
"tags": [
"darkwatchman",
"trojan",
"dark comet",
"stop",
"palantir",
"foundry",
"tam legal",
"quasi government",
"xred",
"darkgate",
"elex",
"glassworm",
"autorun",
"workman\u2019s compensation",
"denver colorado",
"monitored target",
"targeting tsara brashears",
"assaulter jeffrey reimer",
"apple",
"targeting apple products",
"robert neill hit man",
"murderers",
"discovery",
"gather victim",
"run keys",
"startup",
"folder",
"modules",
"manipulation",
"execution",
"capture",
"persistence",
"virtual machine",
"brian sabey",
"rubin pusha",
"psyops",
"law enforcement",
"tony spurlock",
"cyber crime",
"physical crime",
"reputation damage",
"malicious media",
"illegal",
"stalking",
"false imprisonment",
"swatting",
"c2",
"cnc",
"infiltration",
"software",
"encoding",
"match peb",
"peb idrdata",
"getprocaddress",
"file attributes",
"e1113",
"execu",
"autostart",
"logon",
"shared modules",
"windows match",
"hires hit men",
"legal entities",
"government contractors",
"sheriff",
"afraid",
"boot",
"financial exploitation",
"hacking",
"phishing",
"chaos",
"tools",
"illegal",
"targeting dropbox",
"remote. attacks",
"att long lines",
"ids detections",
"yara detections",
"filehash",
"pulse pulses",
"av detections",
"alerts",
"analysis date",
"file score",
"worm",
"dns update",
"shgetmalloc",
"delphi",
"dllimport",
"read c",
"write c",
"search",
"wsasend",
"intptr",
"post",
"create c",
"instrumentation",
"null",
"write",
"service",
"malware",
"main",
"look",
"install",
"wmi",
"et trojan",
"drive content",
"truth",
"name",
"query",
"dynamic dns",
"update request",
"myapp",
"zeppelin30",
"bobsoft mini",
"bobsoft",
"patrick",
"anyxxx"
],
"references": [
"Domain https://tamlegal.com/attorneys/christopher-p-ahmann/",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Malicious IP Contacted: 69.42.215.252",
"Found in this pulse targeting SA victim | https://otx.alienvault.com/pulse/691f4d4ef0a2a570b8b21cd2",
"Large detailed pulse : https://otx.alienvault.com/pulse/6920c43c3772bb24f26f70cc",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"Palantir- http://freedns.afraid.org/images/apple.gif",
"C2: \u2022 xred.mooo.com | Xred backdoor detected",
"https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs RULE_AUTHOR: X__Junior",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST)",
"Relationships below | https://otx.alienvault.com/indicator/file/f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d",
"https://otx.alienvault.com/pulse/68788dfd4a0943cb318c7137",
"https://otx.alienvault.com/pulse/678f0dbdbc59dd2ea5656dcf",
"https://otx.alienvault.com/pulse/66f31b9a0551ca166c872292",
"https://otx.alienvault.com/pulse/637d62b085a09abca4d6020f",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://mwdb.cert.pl/file/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"https://jaffacakes118.dev/analysis/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"command_and_control : 42.250.147.101 \u2022 IPv4\t69.42.215.252",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Christoper Ahmann work photo: https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"Christopher Ahmann @ play https://urlscan.io/screenshots/019aa896-590f-7069-b68a-3a3714d4332e.png",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Qshell-9875653",
"display_name": "Win.Malware.Qshell-9875653",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win32/DarkWatchman",
"display_name": "Win32/DarkWatchman",
"target": null
},
{
"id": "ET TROJAN",
"display_name": "ET TROJAN",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1078",
"name": "Valid Accounts",
"display_name": "T1078 - Valid Accounts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Civil Society"
],
"TLP": "white",
"cloned_from": "6920f8345100dc513679661e",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 15,
"URL": 115,
"FileHash-MD5": 23,
"FileHash-SHA1": 17,
"FileHash-SHA256": 57,
"hostname": 45
},
"indicator_count": 272,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695555b664c8998371393b8f",
"name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App",
"description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie",
"modified": "2026-01-30T16:01:37.437000",
"created": "2025-12-31T16:56:22.577000",
"tags": [
"espaol",
"metro pcs",
"metro",
"english",
"data",
"privacy",
"learn",
"requires",
"strong",
"see all",
"bernie",
"mint",
"never",
"example",
"click",
"indonesia",
"\u2019m",
"win32mydoom dec",
"united",
"trojan",
"name servers",
"servers",
"expiration date",
"backdoor",
"found",
"passive dns",
"gmt connection",
"control",
"content type",
"twitter",
"title",
"aaaa",
"ember cli",
"ember view",
"certificate",
"win32",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"urls",
"akamai",
"unknown ns",
"domain",
"search",
"ipv4",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"dynamicloader",
"port",
"high",
"medium",
"windows",
"displayname",
"write",
"destination",
"tofsee",
"stream",
"malware",
"hostile",
"read c",
"show",
"rgba",
"unicode",
"whitelisted",
"memcommit",
"delete",
"execution",
"dock",
"persistence",
"msie",
"chrome",
"ip address",
"otx telemetry",
"unknown soa",
"gmt content",
"for privacy",
"moved",
"record value",
"ubuntu date",
"encrypt",
"a domains",
"welcome",
"type",
"content length",
"ipv4 add",
"url analysis",
"accept",
"overview domain",
"files ip",
"address",
"location france",
"asn as16276",
"tags none",
"indicator facts",
"historical otx",
"france unknown",
"ovhcloud meta",
"domain add",
"present dec",
"status",
"service",
"win32cutwail",
"setcookie",
"gmt server",
"refloadapihash",
"virtool",
"present nov",
"present oct",
"all ipv4",
"hostname",
"present jul",
"saudi arabia",
"present mar",
"present jun",
"present feb",
"entries",
"france asn",
"asn as16509",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"hybrid",
"local",
"path",
"strings",
"delete c",
"okrndate",
"grum",
"powershell",
"pegasus",
"unknown",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"push",
"autorun",
"suspicious",
"pulse pulses",
"date",
"music",
"apple",
"apple id",
"show process",
"flag",
"markmonitor",
"name tactics",
"informative",
"command",
"adversaries",
"spawns",
"access att",
"t1566 phishing",
"zerobits",
"allocationtype",
"protect",
"programfiles",
"processhandle",
"commitsize",
"viewsize",
"regionsize",
"handles modules",
"files amsi",
"filehandle",
"path filehandle",
"porthandle",
"copy md5",
"copy sha1",
"copy sha256",
"href",
"null",
"refresh",
"body",
"span",
"general",
"error",
"tools",
"look",
"verify",
"restart",
"html",
"x22scriptx22",
"binary file",
"t1189",
"cyberwarfare",
"brian sabey",
"never say anything",
"christopher ahmann",
"colorado state",
"quasi",
"zombie device",
"present may",
"emails",
"exif standard",
"tiff image",
"windows nt",
"wow64",
"slcc2",
"media center",
"jpeg image",
"copy",
"next",
"pecompact",
"february",
"packer",
"delphi",
"code",
"tlsv1",
"ogoogle trust",
"xserver",
"lowfi",
"creation date",
"domain name",
"showing",
"ids detections",
"yara detections",
"worm",
"arial",
"present aug",
"meta",
"dns domain",
"site",
"free dns",
"msil",
"dnssec",
"penetration",
"injections",
"dead host"
],
"references": [
"https://apps.apple.com/app/",
"metropcs.com/account/sign-in.html",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://freedns.afraid.org/images/exclamation",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"admin@bigtits.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "\u2019m",
"display_name": "\u2019m",
"target": null
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Trojan.Installcore-877",
"display_name": "Win.Trojan.Installcore-877",
"target": null
},
{
"id": "Win.Downloader.Small",
"display_name": "Win.Downloader.Small",
"target": null
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Tibs",
"display_name": "Tibs",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/4Shared",
"display_name": "ALF:JASYP:PUA:Win32/4Shared",
"target": null
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1577",
"name": "Compromise Application Executable",
"display_name": "T1577 - Compromise Application Executable"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1863,
"URL": 4952,
"FileHash-SHA256": 1990,
"FileHash-MD5": 981,
"FileHash-SHA1": 791,
"email": 26,
"domain": 1277,
"SSLCertFingerprint": 24
},
"indicator_count": 11904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6920f8345100dc513679661e",
"name": "DarkWatchman - Christopher P Ahmann | Palantir/ Foundry | The \u2018small pulse\u2019 version",
"description": "Christopher P. Ahmann is a darkwatchman. Type: \u2018 I feel disenfranchised \u2019 Totally inappropriate behavior.\nA dangerous thinker, planner , enlister , and actor. If you spend this much time trying to kill one person just think of how many others.\n\nPalantir - Playing God.\nPeter Theil - A serial entrepreneur. He\u2019ll allow a few dozen people to live if asked.\nHe is a Christian! Afraid of an apocalypse he\u2019s causing but not God. Peter of the Bible betrayed Jesus of Nazareth NOT Israel (1948 people) ironically before he \u2018cock\u2019 crowed 3 times.. \n(Calm down Tsara had true Jewish DNA) \n\nAlexander Karp - Seriously? Karp Quotes: Were doin\u2019 it!\u2019 \u2018 I want to douse crowds of people with fentanyl laced urine and make people poor!\u2019 \u2018We kill Palestinians! It\u2019s us!\u2019 He would have killed for free \n\nThe Y.A.S post wasn\u2019t added or approved by me. I\u2019m the lead but only 1 of 16 researchers. We get upset.",
"modified": "2025-12-21T22:00:16.311000",
"created": "2025-11-21T23:39:32.424000",
"tags": [
"darkwatchman",
"trojan",
"dark comet",
"stop",
"palantir",
"foundry",
"tam legal",
"quasi government",
"xred",
"darkgate",
"elex",
"glassworm",
"autorun",
"workman\u2019s compensation",
"denver colorado",
"monitored target",
"targeting tsara brashears",
"assaulter jeffrey reimer",
"apple",
"targeting apple products",
"robert neill hit man",
"murderers",
"discovery",
"gather victim",
"run keys",
"startup",
"folder",
"modules",
"manipulation",
"execution",
"capture",
"persistence",
"virtual machine",
"brian sabey",
"rubin pusha",
"psyops",
"law enforcement",
"tony spurlock",
"cyber crime",
"physical crime",
"reputation damage",
"malicious media",
"illegal",
"stalking",
"false imprisonment",
"swatting",
"c2",
"cnc",
"infiltration",
"software",
"encoding",
"match peb",
"peb idrdata",
"getprocaddress",
"file attributes",
"e1113",
"execu",
"autostart",
"logon",
"shared modules",
"windows match",
"hires hit men",
"legal entities",
"government contractors",
"sheriff",
"afraid",
"boot",
"financial exploitation",
"hacking",
"phishing",
"chaos",
"tools",
"illegal",
"targeting dropbox",
"remote. attacks",
"att long lines",
"ids detections",
"yara detections",
"filehash",
"pulse pulses",
"av detections",
"alerts",
"analysis date",
"file score",
"worm",
"dns update",
"shgetmalloc",
"delphi",
"dllimport",
"read c",
"write c",
"search",
"wsasend",
"intptr",
"post",
"create c",
"instrumentation",
"null",
"write",
"service",
"malware",
"main",
"look",
"install",
"wmi",
"et trojan",
"drive content",
"truth",
"name",
"query",
"dynamic dns",
"update request",
"myapp",
"zeppelin30",
"bobsoft mini",
"bobsoft",
"patrick",
"anyxxx"
],
"references": [
"Domain https://tamlegal.com/attorneys/christopher-p-ahmann/",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Malicious IP Contacted: 69.42.215.252",
"Found in this pulse targeting SA victim | https://otx.alienvault.com/pulse/691f4d4ef0a2a570b8b21cd2",
"Large detailed pulse : https://otx.alienvault.com/pulse/6920c43c3772bb24f26f70cc",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"Palantir- http://freedns.afraid.org/images/apple.gif",
"C2: \u2022 xred.mooo.com | Xred backdoor detected",
"https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs RULE_AUTHOR: X__Junior",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST)",
"Relationships below | https://otx.alienvault.com/indicator/file/f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d",
"https://otx.alienvault.com/pulse/68788dfd4a0943cb318c7137",
"https://otx.alienvault.com/pulse/678f0dbdbc59dd2ea5656dcf",
"https://otx.alienvault.com/pulse/66f31b9a0551ca166c872292",
"https://otx.alienvault.com/pulse/637d62b085a09abca4d6020f",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://mwdb.cert.pl/file/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"https://jaffacakes118.dev/analysis/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"command_and_control : 42.250.147.101 \u2022 IPv4\t69.42.215.252",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Christoper Ahmann work photo: https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"Christopher Ahmann @ play https://urlscan.io/screenshots/019aa896-590f-7069-b68a-3a3714d4332e.png",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Qshell-9875653",
"display_name": "Win.Malware.Qshell-9875653",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win32/DarkWatchman",
"display_name": "Win32/DarkWatchman",
"target": null
},
{
"id": "ET TROJAN",
"display_name": "ET TROJAN",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1078",
"name": "Valid Accounts",
"display_name": "T1078 - Valid Accounts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 15,
"URL": 115,
"FileHash-MD5": 23,
"FileHash-SHA1": 17,
"FileHash-SHA256": 57,
"hostname": 45
},
"indicator_count": 272,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "119 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "119 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f80c6bcd3fff3a4f126a68",
"name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ",
"description": "",
"modified": "2025-11-20T17:00:05.377000",
"created": "2025-10-21T22:42:51.657000",
"tags": [
"united",
"urls",
"domain",
"files",
"files ip",
"td td",
"td tr",
"a td",
"dynamic dns",
"arial",
"worm",
"trojandropper",
"meta",
"null",
"enough",
"hosts",
"win32",
"fast",
"present oct",
"present jul",
"present sep",
"present aug",
"moved",
"ip address",
"error",
"title",
"ipv4 add",
"url analysis",
"hosting",
"reverse dns",
"america flag",
"name servers",
"body",
"a domains",
"passive dns",
"welcome",
"ok server",
"gmt content",
"twitter",
"dynamicloader",
"write c",
"medium",
"myapp",
"high",
"host",
"delphi",
"write",
"code",
"malware",
"device driver",
"backdoor",
"msil",
"present mar",
"apanas",
"regsetvalueexa",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"langturkish",
"sublangdefault",
"regdword",
"persistence",
"execution",
"nids",
"zegost",
"trojan",
"win32fugrafa",
"malwarexgen att",
"ck ids",
"t1040",
"sniffing",
"location united",
"united states",
"KeyAuth Open-source Authentication System Domain (keyauth .win) ",
"yara rule",
"search",
"blobx00x00x00",
"guard",
"encrypt",
"afraid",
"smartphone",
"laptop",
"tablet",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"ascii text",
"size",
"mitre att",
"show technique",
"refresh",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"access att",
"t1566 phishing",
"font",
"pattern match",
"general",
"contact",
"premium",
"never",
"core",
"external system",
"http header",
"network traffic",
"sample",
"antivirus",
"systems found",
"ipurl artifact",
"network related",
"sends traffic",
"http outbound",
"hostname add",
"address",
"registrar",
"internet ltd",
"livedomains",
"creation date",
"hostname",
"domain add",
"modrg",
"sincpoatia",
"utf8",
"appdata",
"temp",
"fyfdz",
"iepgq",
"trlew",
"copy",
"kentuchy",
"oljnmrfghb",
"powershell",
"sabey",
"sokolove law"
],
"references": [
"afraid.org | evergreen.afraid.org",
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com",
"https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1",
"https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1",
"Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/",
"Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net",
"KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI",
"https://api.strem.io/api/addonCollectionGet%",
"http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am",
"aohhpesayw.lawsonengineers.co.",
"Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru",
"gitea.neconsside.com \u2022 http://f7194.vip/login",
"2012647\tDropbox.com Offsite File Backup in Use",
"target.dropboxbusiness.com",
"consolefoundry.date \u2022 http://consolefoundry.date",
"http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Neshta",
"display_name": "Neshta",
"target": null
},
{
"id": "Backdoor:Win32/Fynloski.A",
"display_name": "Backdoor:Win32/Fynloski.A",
"target": "/malware/Backdoor:Win32/Fynloski.A"
},
{
"id": "Zegost",
"display_name": "Zegost",
"target": null
},
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
},
{
"id": "MalwareX-Gen",
"display_name": "MalwareX-Gen",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Worm:Win32/AutoRun.B",
"display_name": "Worm:Win32/AutoRun.B",
"target": "/malware/Worm:Win32/AutoRun.B"
},
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "Kentuchy",
"display_name": "Kentuchy",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68f7ced2cf17d264b49628bc",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 483,
"hostname": 1397,
"URL": 2874,
"email": 2,
"FileHash-MD5": 369,
"FileHash-SHA1": 355,
"FileHash-SHA256": 1534,
"SSLCertFingerprint": 7
},
"indicator_count": 7021,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f7ced2cf17d264b49628bc",
"name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information",
"description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.",
"modified": "2025-11-20T17:00:05.377000",
"created": "2025-10-21T18:20:02.120000",
"tags": [
"united",
"urls",
"domain",
"files",
"files ip",
"td td",
"td tr",
"a td",
"dynamic dns",
"arial",
"worm",
"trojandropper",
"meta",
"null",
"enough",
"hosts",
"win32",
"fast",
"present oct",
"present jul",
"present sep",
"present aug",
"moved",
"ip address",
"error",
"title",
"ipv4 add",
"url analysis",
"hosting",
"reverse dns",
"america flag",
"name servers",
"body",
"a domains",
"passive dns",
"welcome",
"ok server",
"gmt content",
"twitter",
"dynamicloader",
"write c",
"medium",
"myapp",
"high",
"host",
"delphi",
"write",
"code",
"malware",
"device driver",
"backdoor",
"msil",
"present mar",
"apanas",
"regsetvalueexa",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"langturkish",
"sublangdefault",
"regdword",
"persistence",
"execution",
"nids",
"zegost",
"trojan",
"win32fugrafa",
"malwarexgen att",
"ck ids",
"t1040",
"sniffing",
"location united",
"united states",
"KeyAuth Open-source Authentication System Domain (keyauth .win) ",
"yara rule",
"search",
"blobx00x00x00",
"guard",
"encrypt",
"afraid",
"smartphone",
"laptop",
"tablet",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"ascii text",
"size",
"mitre att",
"show technique",
"refresh",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"access att",
"t1566 phishing",
"font",
"pattern match",
"general",
"contact",
"premium",
"never",
"core",
"external system",
"http header",
"network traffic",
"sample",
"antivirus",
"systems found",
"ipurl artifact",
"network related",
"sends traffic",
"http outbound",
"hostname add",
"address",
"registrar",
"internet ltd",
"livedomains",
"creation date",
"hostname",
"domain add",
"modrg",
"sincpoatia",
"utf8",
"appdata",
"temp",
"fyfdz",
"iepgq",
"trlew",
"copy",
"kentuchy",
"oljnmrfghb",
"powershell",
"sabey",
"sokolove law"
],
"references": [
"afraid.org | evergreen.afraid.org",
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com",
"https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1",
"https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1",
"Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/",
"Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net",
"KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI",
"https://api.strem.io/api/addonCollectionGet%",
"http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am",
"aohhpesayw.lawsonengineers.co.",
"Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru",
"gitea.neconsside.com \u2022 http://f7194.vip/login",
"2012647\tDropbox.com Offsite File Backup in Use",
"target.dropboxbusiness.com",
"consolefoundry.date \u2022 http://consolefoundry.date",
"http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Neshta",
"display_name": "Neshta",
"target": null
},
{
"id": "Backdoor:Win32/Fynloski.A",
"display_name": "Backdoor:Win32/Fynloski.A",
"target": "/malware/Backdoor:Win32/Fynloski.A"
},
{
"id": "Zegost",
"display_name": "Zegost",
"target": null
},
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
},
{
"id": "MalwareX-Gen",
"display_name": "MalwareX-Gen",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Worm:Win32/AutoRun.B",
"display_name": "Worm:Win32/AutoRun.B",
"target": "/malware/Worm:Win32/AutoRun.B"
},
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "Kentuchy",
"display_name": "Kentuchy",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 483,
"hostname": 1397,
"URL": 2874,
"email": 2,
"FileHash-MD5": 369,
"FileHash-SHA1": 355,
"FileHash-SHA256": 1534,
"SSLCertFingerprint": 7
},
"indicator_count": 7021,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f80aa152fdd795fa008e2e",
"name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices",
"description": "",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-21T22:35:13.128000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68f5cfa9b74d6faa43eb6585",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f5cfa9b74d6faa43eb6585",
"name": "Indicator Removal service affecting Threat Hunters | Brian Sabey",
"description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl",
"modified": "2025-11-19T05:02:39.961000",
"created": "2025-10-20T05:59:04.173000",
"tags": [
"url https",
"url http",
"hostname",
"b9sdwan",
"b9 no",
"united",
"passive dns",
"ipv4 add",
"urls",
"location united",
"america flag",
"san jose",
"trojan",
"canada unknown",
"hostname add",
"url analysis",
"http",
"ip address",
"related nids",
"path",
"america asn",
"as4983 intel",
"canada",
"gmt p3p",
"cp noi",
"adm dev",
"psai com",
"unknown ns",
"united states",
"twitter",
"url add",
"files location",
"flag united",
"status",
"emails",
"servers",
"mtb aug",
"win32",
"invalid url",
"lowfi",
"body html",
"head title",
"files",
"files ip",
"filehashmd5",
"iocs",
"type indicator",
"role title",
"related pulses",
"dynamicloader",
"directui",
"write c",
"element",
"classinfobase",
"forbidden",
"write",
"high",
"worm",
"delphi",
"guard",
"error",
"vmprotect",
"malware",
"defender",
"suspicious",
"port",
"read c",
"destination",
"crlf line",
"rgba",
"unicode",
"png image",
"td td",
"td tr",
"a td",
"dynamic dns",
"search",
"arial",
"trojandropper",
"null",
"enough",
"hosts",
"fast",
"afraid",
"a domains",
"welcome",
"ok server",
"gmt content",
"present sep",
"unknown soa",
"unknown cname",
"present oct",
"present aug",
"event rocket",
"title",
"cookie",
"encrypt",
"sabey type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1434,
"URL": 3982,
"FileHash-MD5": 391,
"FileHash-SHA1": 309,
"FileHash-SHA256": 1525,
"domain": 758,
"email": 10,
"SSLCertFingerprint": 3,
"CVE": 1
},
"indicator_count": 8413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ae5b9ef87646927a236b61",
"name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry",
"description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems",
"modified": "2025-09-26T00:01:12.214000",
"created": "2025-08-27T01:13:02.780000",
"tags": [
"google",
"mullvad browser",
"value",
"incognito mode",
"mine",
"unix time",
"friday",
"january",
"does",
"tor browser",
"search",
"show",
"langchinese",
"packing t1045",
"t1045",
"medium",
"pe resource",
"module load",
"t1129",
"service",
"trojan",
"copy",
"dock",
"write",
"malware",
"clock",
"united",
"passive dns",
"urls",
"next associated",
"gmt cache",
"ipv4 add",
"pulse pulses",
"files",
"reverse dns",
"win32",
"title",
"location united",
"america flag",
"america asn",
"as15169 google",
"dns resolutions",
"domains top",
"level",
"unique tlds",
"present aug",
"china unknown",
"creation date",
"date",
"domain",
"ip address",
"domain name",
"expiration date",
"status ok",
"nanjing",
"accept",
"body",
"div td",
"td tr",
"div div",
"span span",
"a li",
"span p",
"p div",
"moved",
"a domains",
"open",
"span",
"uuupupu",
"t1055",
"process32nextw",
"high",
"windows",
"high defense",
"evasion",
"delphi",
"google gmail",
"images sign",
"advanced search",
"solutions",
"privacy",
"store gmail",
"delete delete",
"report",
"how search",
"applying ai",
"settings search",
"advanced",
"search search",
"search help",
"domainabuse",
"showing",
"hostname add",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses none",
"related tags",
"read c",
"tlsv1",
"whitelisted",
"port",
"destination",
"ascii text",
"next",
"encrypt",
"script urls",
"msie",
"chrome",
"bad gateway",
"script domains",
"present feb",
"link",
"meta",
"digital",
"language",
"body doctype",
"ghost",
"present jun",
"aaaa",
"present jul",
"present oct",
"record value",
"yara detections",
"dock zone",
"top source",
"top destination",
"source source",
"filehash",
"code",
"error",
"windows nt",
"wow64",
"slcc2",
"media center",
"execution",
"persistence",
"tulach",
"brian sabey",
"dod network",
"orgtechref",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity dnic",
"handle",
"whois lookup",
"dod",
"et trojan",
"server header",
"suspicious",
"et info",
"unknown",
"virustotal",
"specified",
"download",
"et",
"please",
"type size",
"first seen",
"loading",
"python wheel",
"dynamicloader",
"intel",
"ms windows",
"pe32",
"entries",
"user agent",
"powershell",
"agent",
"yara rule",
"checks",
"levelblue",
"open threat",
"observed dns",
"query",
"dns lookup",
"msdos",
"wannacry dns",
"lookup",
"wannacry",
"worm",
"explorer",
"msil",
"darkcomet",
"ping",
"tools",
"capture",
"hallrender",
"dga domains",
"unfurl sites",
"honey net",
"bot",
"nxdomain",
"potential-c2"
],
"references": [
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"DoD Network Information Center (DNIC)",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"Python Wheel package",
"https://www.google.com/search",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Magania.DSK!MTB",
"display_name": "Trojan:Win32/Magania.DSK!MTB",
"target": "/malware/Trojan:Win32/Magania.DSK!MTB"
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "a variant of Win32/Kryptik.DEOA",
"display_name": "a variant of Win32/Kryptik.DEOA",
"target": null
},
{
"id": "ALF:Exploit:Win32/gSharedInfoRef.A",
"display_name": "ALF:Exploit:Win32/gSharedInfoRef.A",
"target": null
},
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
}
],
"industries": [
"Telecommunications",
"Technology",
"Civilian"
],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8221,
"domain": 1216,
"FileHash-SHA256": 2434,
"FileHash-MD5": 296,
"FileHash-SHA1": 155,
"hostname": 2939,
"email": 7,
"SSLCertFingerprint": 8,
"CIDR": 2
},
"indicator_count": 15278,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "205 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "670224ac3c8cce621843a477",
"name": "Man in Browser Multi-systems attack | Ransom",
"description": "System wide issues. Internal and external attack affecting medical and educational institution \u2022 Man in Browser \u2022 Mail spammer. Many other priority vulnerabilities.\nShort List of Malware Families\nAtros3.AHFB\nETPRO\nNOD32\nSAPE.Heur.9B552\nSpammer:MSIL/Misnt.A\nSymantec\nTrojan:Win32/Zonsterarch\nWin.Ransomware.Sodinokibi-7013612-0\nIDS Detections\nW32/Emotet.v4 Checkin",
"modified": "2024-11-05T05:02:29.649000",
"created": "2024-10-06T05:48:28.806000",
"tags": [
"as32934",
"passive dns",
"urls",
"address",
"search",
"unknown",
"aaaa",
"as13414 twitter",
"as19679 dropbox",
"germany unknown",
"france unknown",
"hong kong",
"asnone hong",
"kong unknown",
"kong",
"all scoreblue",
"ipv4",
"files",
"http",
"ip address",
"related nids",
"files location",
"flag united",
"hostname",
"a domains",
"meta",
"moved",
"body",
"as13768 aptum",
"canada",
"asnone united",
"whitelisted",
"url analysis",
"location united",
"cookie",
"united states",
"record type",
"ttl value",
"key identifier",
"full name",
"data",
"v3 serial",
"number",
"cus odigicert",
"cndigicert sha2",
"high assurance",
"server ca",
"validity",
"united",
"as2914 ntt",
"yuming",
"name servers",
"date",
"next",
"as32780 hosting",
"welcome",
"pulse pulses",
"accept",
"domainmaster",
"creation date",
"expiration date",
"as35280 acorus",
"as396982 google",
"status",
"cname",
"united kingdom",
"trojan",
"service",
"ransom",
"pulse submit",
"asn as35280",
"error",
"japan unknown",
"post https",
"post method",
"medium",
"high",
"registry",
"creates",
"alerts",
"contacted",
"tools",
"win32",
"malware",
"copy",
"persistence",
"execution",
"powershell e",
"script urls",
"httponly set",
"general",
"read c",
"show",
"entries",
"etpro trojan",
"intel",
"ms windows",
"file",
"virustotal",
"write",
"baidu",
"vipre",
"panda",
"download",
"main",
"look",
"install",
"push",
"sape.heur.9b552",
"nod32",
"symantec",
"etpro",
"dynamicloader",
"yara rule",
"stack pivoting",
"cape",
"maninbrowser",
"mitb",
"t1055",
"server",
"registrar abuse",
"contact phone",
"registrar url",
"registrar",
"whois lookup",
"dnssec",
"domain name",
"attempts",
"performs",
"packing t1045",
"browse scan",
"august",
"as174 cogent",
"canada unknown",
"overview ip",
"files domain",
"files related",
"pulses none",
"related tags",
"gmt content",
"type",
"content length",
"svr id",
"encrypt",
"trojandropper",
"virtool",
"msie",
"chrome",
"as45012 dogado",
"tr tr",
"die domain",
"td tr",
"gmt server",
"scan endpoints",
"scoreblue ipv4",
"ripe route",
"ip location",
"asn as45012",
"cloudpit dogado",
"gmbh",
"whois server",
"reverse ip",
"abuse contact",
"de adminc",
"ssh attacker",
"mysql",
"tor relays",
"sabey type",
"showing",
"pulses",
"indicator facts",
"hichina zhicheng technology ltd.,",
"domain",
"as4837 china",
"china unknown",
"default",
"tlsv1",
"germany as34788",
"post",
"windows nt",
"dotted quad",
"fake browser",
"artemis",
"emotet",
"as9808 china",
"as56047 china",
"as56040 china",
"as58541 qingdao",
"et trojan",
"sinkhole cookie",
"macoute",
"sha256",
"yara detections",
"worm",
"explorer",
"possible",
"april",
"uchealth",
"ogoogle inc",
"lsalford",
"ocomodo ca",
"limited",
"secure server",
"c2087940"
],
"references": [
"\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com",
"prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55",
"IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List",
"IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download",
"Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d",
"YARA Detections: WinRAR_SFX",
"High Priority Alerts: antisandbox_unhook antivirus_virustotal",
"utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu",
"dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu",
"mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu",
"extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com",
"trojan.msil.spammer.ai = spammer.ai",
"interact.f5.com",
"https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com",
"http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html",
"https://bd-server.com/user/JasminMcVey2/",
"http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/",
"(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve",
"(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US",
"High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f",
"Suspicious of NSO Pegasus type spyware campaign (possibly)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Singapore",
"Malaysia",
"United States of America",
"Argentina",
"France",
"Sweden",
"Ireland",
"Romania",
"Taiwan",
"Germany",
"Netherlands",
"Brazil",
"Colombia",
"Indonesia",
"Hong Kong",
"Poland",
"Slovakia",
"Lithuania",
"United Kingdom of Great Britain and Northern Ireland",
"Denmark",
"Slovenia",
"Greece",
"Italy",
"Aruba",
"China",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Zonsterarch",
"display_name": "Trojan:Win32/Zonsterarch",
"target": "/malware/Trojan:Win32/Zonsterarch"
},
{
"id": "Win.Ransomware.Sodinokibi-7013612-0",
"display_name": "Win.Ransomware.Sodinokibi-7013612-0",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Spammer:MSIL/Misnt.A",
"display_name": "Spammer:MSIL/Misnt.A",
"target": "/malware/Spammer:MSIL/Misnt.A"
},
{
"id": "SAPE.Heur.9B552",
"display_name": "SAPE.Heur.9B552",
"target": null
},
{
"id": "NOD32",
"display_name": "NOD32",
"target": null
},
{
"id": "Symantec",
"display_name": "Symantec",
"target": null
},
{
"id": "ETPRO",
"display_name": "ETPRO",
"target": null
},
{
"id": "Worm:Win32/Macoute.A",
"display_name": "Worm:Win32/Macoute.A",
"target": "/malware/Worm:Win32/Macoute.A"
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "C2087940",
"display_name": "C2087940",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
}
],
"industries": [
"Healthcare",
"Civilian Society",
"Technology",
"Education"
],
"TLP": "green",
"cloned_from": null,
"export_count": 55,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1287,
"hostname": 2995,
"URL": 3606,
"email": 22,
"FileHash-MD5": 173,
"FileHash-SHA256": 1059,
"FileHash-SHA1": 163,
"CIDR": 1,
"SSLCertFingerprint": 43
},
"indicator_count": 9349,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "530 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "669f882c5109175fe742fe58",
"name": "(I Cloned Title & Pulse) WHO EVERYONE HAS BEEN LOOKING FOR [Pulse of IoC's Curated by user Streaming Ex]",
"description": "",
"modified": "2024-07-23T10:38:36.002000",
"created": "2024-07-23T10:38:36.002000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65709e14974bdb5d6dbda091",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2066,
"URL": 1939,
"hostname": 2768,
"FileHash-SHA256": 276,
"email": 90,
"CVE": 47,
"CIDR": 1,
"FileHash-MD5": 16,
"FileHash-SHA1": 4
},
"indicator_count": 7207,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "635 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65eedf74b7bdda41057bef3e",
"name": "Source Browse- DNS poisoning \u2022 Device CnC",
"description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.",
"modified": "2024-04-10T09:00:27.994000",
"created": "2024-03-11T10:39:48.949000",
"tags": [
"iocs",
"all octoseek",
"blacklist https",
"gmbh version",
"legal",
"service privacy",
"general full",
"reverse dns",
"san francisco",
"asn13335",
"cloudflarenet",
"cloudflare",
"domains",
"service privacy",
"modernizr",
"domainpath name",
"migrate",
"phishing",
"url https",
"united",
"line",
"threat",
"paste",
"analyze",
"value",
"z6s3i string",
"a7i string",
"y3i string",
"e0b function",
"x8i string",
"source level",
"threat analyzer",
"urls https",
"domain",
"webzilla",
"cloudflar",
"system",
"hostnames",
"sample",
"security tls",
"ecdheecdsa",
"resource",
"hash",
"windows nt",
"win64",
"khtml",
"gecko",
"veryhigh",
"limited",
"lsalford",
"ocomodo ca",
"cncomodo ecc",
"secure server",
"olet",
"encrypt",
"cnlet",
"identity search",
"group",
"google https",
"expired",
"comodo",
"tls web",
"log id",
"criteria id",
"1663014711",
"summary leaf",
"timestamp entry",
"log operator",
"error",
"name size",
"parent",
"directory",
"displays",
"targets",
"smartfolder",
"frame",
"bookmarks",
"splitcount",
"nib files",
"design",
"boundsstr",
"rows",
"source browser",
"ruby logo",
"license",
"python",
"python software",
"foundation",
"apple inc",
"php logo",
"visit",
"valid",
"no na",
"no no",
"ip security",
"ca id",
"research group",
"cnisrg root",
"mozilla",
"android",
"binrm",
"targetdisk",
"create",
"crlcachedir",
"makefile",
"dstroot",
"keychainssrc",
"srcroot",
"crl cache",
"install",
"ev server",
"authentication",
"subject",
"digicert https",
"sectigo https",
"certificate",
"ca limited",
"salford",
"greater",
"key usage",
"access",
"ca issuers",
"ocsp",
"x509v3 subject",
"lets",
"identifier",
"411260982",
"poison",
"search",
"status page",
"impressum",
"protocol h2",
"main",
"framing",
"geoip",
"as13335",
"centos",
"as32244",
"liquidweb",
"redirect",
"as16509",
"as133618",
"z6s3i y3i",
"as62597",
"france unknown",
"showing",
"link",
"z6s3i",
"date",
"unknown",
"meta",
"sha256",
"google safe",
"browsing",
"hostname",
"samples",
"td td",
"tr tr",
"a td",
"a domains",
"passive dns",
"a th",
"urls",
"as50295 triple",
"triple mirrors",
"contact",
"moved",
"show",
"accept",
"body",
"microsoft",
"e4609l",
"urls http",
"yoa https",
"url http",
"scan endpoints",
"report spam",
"created",
"weeks ago",
"pulse",
"brashears",
"xvideos",
"capture",
"expiration",
"no expiration",
"entries",
"status",
"as58110 ip",
"for privacy",
"aaaa",
"creation date",
"domain name",
"germany unknown",
"bq mar",
"ipv4",
"pulse pulses",
"files",
"artro",
"files domain",
"files related",
"pulses otx",
"pulses",
"tags",
"servers",
"record value",
"body doctype",
"html public",
"macintosh",
"intel mac",
"os x",
"technology",
"dns replication",
"email",
"server",
"registrar abuse",
"dnssec",
"expiration date",
"registrar iana",
"admin country",
"tech country",
"registry admin",
"url text",
"facebook url",
"google url",
"google",
"software",
"asn15169",
"ip https",
"february",
"request chain",
"http",
"referer",
"aes128gcm",
"pragma",
"frankfurt",
"germany",
"asn213250",
"itpsolutions",
"full url",
"software caddy",
"express",
"ubuntu",
"as14061",
"digitaloceanasn",
"address as",
"april",
"facebook",
"march",
"hashes",
"ip address",
"as autonomous",
"fastly",
"packet",
"kb script",
"b script",
"october",
"resource path",
"size",
"type mimetype",
"redirect chain",
"kb image",
"b image",
"cname",
"as32244 liquid",
"trojan",
"high",
"yara rule",
"sniffs",
"windows",
"anomalous file",
"medium",
"guard",
"filehash",
"js user",
"python connection",
"brian sabey",
"smithtech",
"rexxfield",
"connect facebook",
"open",
"emails",
"next",
"ssl certificate",
"contacted",
"whois record",
"referrer",
"historical ssl",
"resolutions",
"execution",
"whois whois",
"contacted urls",
"linkid69157 url",
"formbook",
"spyware",
"generic malware",
"tag count",
"sat jul",
"threat report",
"ip summary",
"url summary",
"summary",
"generic",
"alerts",
"icmp traffic",
"cust exe",
"depot tech",
"office depot",
"tech",
"customer client",
"june",
"copy",
"network_icmp",
"inject-x64.exe",
"tsara brashears",
"apple ios",
"hacktool",
"download",
"malware",
"relic",
"monitoring",
"tofsee",
"https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27",
"darklivity",
"hijacker",
"remote attackers",
"cybercrime",
"fear factor",
"criminal gang",
"jeffrey reimer",
"miles it",
"history killer",
"apple",
"apple control",
"sreredrum",
"men",
"man",
"hit"
],
"references": [
"videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]",
"videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/",
"https://crt.sh/?q=videolal.com",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html",
"https://opensource.apple.com/source/security_certificates/",
"https://crt.sh/?q=videolal.com",
"https://crt.sh/?graph=410492573&opt=nometadata",
"https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15",
"Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n",
"Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html",
"Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n",
"Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no",
"Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk",
"video-lal.com/videos/sandra-richter-video.html",
"Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html",
"Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language",
"Crazy: video-lal.com/videos/michael-roberts.html",
"https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png",
"http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com",
"notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co",
"Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts",
"http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com",
"http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022",
"Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.",
"Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.",
"Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts",
"Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |",
"http://www.hallrender.com/attorney/brian-sabey |",
"Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1",
"https://www.hallrender.com/attorney/brian-sabey",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com",
"http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe",
"http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com",
"servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif",
"brain-portal.net",
"303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf",
"https://otx.alienvault.com/pulse/64cf438a574eae18716e5954",
"https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1",
"https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde",
"https://otx.alienvault.com/pulse/64d65255c80d866add600bac",
"https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3",
"https://otx.alienvault.com/pulse/64cf438a574eae18716e5954",
"https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608",
"Refuses to remove target from adult content \"tagging\""
],
"public": 1,
"adversary": "[Unnamed group]",
"targeted_countries": [
"Australia",
"United States of America"
],
"malware_families": [
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Win.Malware.Farfli-6824119-0",
"display_name": "Win.Malware.Farfli-6824119-0",
"target": null
},
{
"id": "Win32:TrojanX-Gen[Trj]",
"display_name": "Win32:TrojanX-Gen[Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.006",
"name": "Python",
"display_name": "T1059.006 - Python"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.006",
"name": "Dynamic Linker Hijacking",
"display_name": "T1574.006 - Dynamic Linker Hijacking"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1602.002",
"name": "Network Device Configuration Dump",
"display_name": "T1602.002 - Network Device Configuration Dump"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5328,
"domain": 2339,
"hostname": 2434,
"FileHash-MD5": 1210,
"FileHash-SHA1": 721,
"FileHash-SHA256": 2784,
"SSLCertFingerprint": 5,
"CVE": 2,
"URI": 2,
"email": 10,
"CIDR": 3
},
"indicator_count": 14838,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "739 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c68bc8b8745068608cc50d",
"name": "Metasploit | Ransomware | PinterestPots - Pin.it",
"description": "",
"modified": "2024-03-10T20:03:45.513000",
"created": "2024-02-09T20:32:08.358000",
"tags": [
"whois record",
"contacted",
"tsara brashears",
"ssl certificate",
"apple ios",
"unlocker",
"historical ssl",
"referrer",
"highly targeted",
"critical risk",
"hacktool",
"malicious",
"cobalt strike",
"metasploit",
"installer",
"malware",
"awful",
"android",
"banker",
"keylogger",
"jeffrey reimer",
"emreimer",
"emily reimer goldstien",
"eva lisa",
"eva lisa reimer",
"status code",
"http response",
"ieedge date",
"maxage86400",
"path",
"httponly xcdn",
"connection",
"vary useragent",
"targeting brashears",
"communicating",
"whois whois",
"collections",
"password",
"adult content",
"core",
"metro",
"apple",
"copy",
"suspicious",
"vj99",
"threat",
"slfrd1",
"paste",
"iocs",
"analyze",
"hostnames",
"urls http",
"jid1221717543",
"slc1",
"a domains",
"united",
"search",
"date",
"as15169 google",
"passive dns",
"urls",
"record value",
"name servers",
"status",
"encrypt",
"win32",
"next",
"msie",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse submit",
"url analysis",
"body",
"domain",
"unknown",
"china unknown",
"pulse pulses",
"files",
"ip address",
"servers",
"domain name",
"showing",
"as54113",
"as16625 akamai",
"as20940",
"aaaa",
"cname",
"as396982 google",
"as14061",
"script domains",
"hostname",
"japan unknown",
"gmt content",
"gmt etag",
"pragma",
"accept",
"location japan",
"asn as131965",
"less",
"pulses",
"related tags",
"meta",
"asn as13335",
"443 ma2592000",
"certificate",
"germany unknown",
"script urls",
"link",
"code",
"moved",
"russia unknown",
"as51659 llc",
"as12616 filanc",
"welcome",
"uhttps",
"urls https",
"ccb455304",
"ccb455307",
"vj93",
"uyebaauqaaaaaac",
"malvertizing",
"tagging",
"prefetch8",
"script",
"prefetch1",
"command decode",
"segoe ui",
"suricata ipv4",
"emoji",
"mitre att",
"suricata udpv4",
"roboto",
"courier",
"february",
"hybrid",
"general",
"model",
"comspec",
"click",
"strings"
],
"references": [
"https://gr.pinterest.com/emreimer/",
"Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.",
"message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc",
"http://neurosky.jp",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://45.159.189.105/bot/regex",
"http://alohatube.xyz/search/tsara-brashears",
"facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]",
"alohatube.xyz [keylogger aimed at Tsara Brashears]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"http://alohatube.xyz/search/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashears",
"https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+",
"https://www.sweetheartvideo.com/tsara-brashears/",
"manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca",
"https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]",
"CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34",
"http://www.proxydocker.com/ja/proxy/43.229.135.125:8080",
"https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"www.pornhub.com",
"http://www.pinterest.com/ideas/songwriting/945635263947/",
"https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0",
"webdisk.thehomemakers.nl",
"http://connectivitycheck.gstatic.com/generate_204 [RAT]",
"http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]",
"https://gujarati.ent24x7.comb [RAT]",
"http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb",
"https://tulach.cc/socrative/internal.js",
"http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6",
"https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com",
"162.159.208.8"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Trojan:VBS/MetasploitVBSCmdStager",
"display_name": "Trojan:VBS/MetasploitVBSCmdStager",
"target": "/malware/Trojan:VBS/MetasploitVBSCmdStager"
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3412,
"FileHash-MD5": 194,
"FileHash-SHA1": 159,
"FileHash-SHA256": 2223,
"domain": 2117,
"hostname": 1763,
"CVE": 2,
"email": 5
},
"indicator_count": 9875,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "770 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b807e6e5963d7f29174969",
"name": "Esurance | Trojan:Win32/InstallCore | Amazonaws",
"description": "",
"modified": "2024-02-28T06:00:48.863000",
"created": "2024-01-29T20:17:42.243000",
"tags": [
"no expiration",
"filehashsha256",
"hostname",
"filehashmd5",
"expiration",
"filehashsha1",
"ipv4",
"domain",
"url https",
"url http",
"next",
"a domains",
"accept",
"ad tracker",
"all octoseek",
"amazons3",
"xcache",
"analyze",
"apache",
"cyber threat",
"defense",
"cyber",
"cyber defense",
"crypto",
"critical",
"creation date",
"covid19",
"copy",
"contacted",
"collections",
"code",
"cloudfront",
"click",
"botnet",
"body",
"block",
"best link",
"beds protector",
"backdoor",
"back",
"united",
"asnone",
"asn as133618",
"as27647",
"as24940 hetzner",
"as16552 tiggee",
"google",
"as15169",
"as133618",
"apple",
"apple ios",
"cymulate",
"date",
"defacement",
"default",
"default page",
"dock",
"dock domain",
"download",
"domains",
"emotet",
"encrypt",
"entries",
"evader",
"execution",
"evader",
"xamzexpires600",
"write",
"execution",
"windows module",
"module",
"shared modules",
"windows",
"win32",
"west domains",
"welcome",
"expiressun files files written firm collection germany unknown g",
"https urls",
"http url",
"url",
"collection",
"unknown",
"unique",
"twitter",
"tsara brashears",
"trojandropper",
"tracker",
"metro",
"tmobile",
"memcommit",
"meta",
"title error",
"threat report",
"threat analyzer",
"threat",
"t1129",
"suppobox",
"stop",
"steam route",
"stealer",
"status",
"showing",
"show",
"set cookie",
"search servers",
"server",
"servers",
"search",
"scan endpoints",
"meta",
"dns",
"samples",
"reverse",
"read c",
"ransom",
"push",
"submit",
"pulse",
"pulse pulses",
"proxima nova",
"province tx",
"precreate read",
"read",
"post",
"phishing site",
"pegasus",
"pe resource",
"path xcache",
"path",
"patch",
"paste",
"passive dns",
"open",
"nymaim",
"next",
"name servers",
"load",
"module",
"miss"
],
"references": [
"https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.",
"https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.msil/cymulate",
"display_name": "trojan.msil/cymulate",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
}
],
"attack_ids": [
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65b74e347a5554e357bfe1c5",
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 490,
"FileHash-SHA1": 351,
"FileHash-SHA256": 1099,
"URL": 188,
"CVE": 1,
"domain": 316,
"email": 2,
"hostname": 829
},
"indicator_count": 3276,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b74e347a5554e357bfe1c5",
"name": "Esurance | Trojan:Win32/InstallCore | Amazonaws",
"description": "High Priority | \n https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject. | Found in https://www.esurance.com\nDiscovered mid - late January 2024.",
"modified": "2024-02-28T06:00:48.863000",
"created": "2024-01-29T07:05:24.671000",
"tags": [
"no expiration",
"filehashsha256",
"hostname",
"filehashmd5",
"expiration",
"filehashsha1",
"ipv4",
"domain",
"url https",
"url http",
"next",
"a domains",
"accept",
"ad tracker",
"all octoseek",
"amazons3",
"xcache",
"analyze",
"apache",
"cyber threat",
"defense",
"cyber",
"cyber defense",
"crypto",
"critical",
"creation date",
"covid19",
"copy",
"contacted",
"collections",
"code",
"cloudfront",
"click",
"botnet",
"body",
"block",
"best link",
"beds protector",
"backdoor",
"back",
"united",
"asnone",
"asn as133618",
"as27647",
"as24940 hetzner",
"as16552 tiggee",
"google",
"as15169",
"as133618",
"apple",
"apple ios",
"cymulate",
"date",
"defacement",
"default",
"default page",
"dock",
"dock domain",
"download",
"domains",
"emotet",
"encrypt",
"entries",
"evader",
"execution",
"evader",
"xamzexpires600",
"write",
"execution",
"windows module",
"module",
"shared modules",
"windows",
"win32",
"west domains",
"welcome",
"expiressun files files written firm collection germany unknown g",
"https urls",
"http url",
"url",
"collection",
"unknown",
"unique",
"twitter",
"tsara brashears",
"trojandropper",
"tracker",
"metro",
"tmobile",
"memcommit",
"meta",
"title error",
"threat report",
"threat analyzer",
"threat",
"t1129",
"suppobox",
"stop",
"steam route",
"stealer",
"status",
"showing",
"show",
"set cookie",
"search servers",
"server",
"servers",
"search",
"scan endpoints",
"meta",
"dns",
"samples",
"reverse",
"read c",
"ransom",
"push",
"submit",
"pulse",
"pulse pulses",
"proxima nova",
"province tx",
"precreate read",
"read",
"post",
"phishing site",
"pegasus",
"pe resource",
"path xcache",
"path",
"patch",
"paste",
"passive dns",
"open",
"nymaim",
"next",
"name servers",
"load",
"module",
"miss"
],
"references": [
"https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.",
"https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.msil/cymulate",
"display_name": "trojan.msil/cymulate",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
}
],
"attack_ids": [
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 490,
"FileHash-SHA1": 351,
"FileHash-SHA256": 1099,
"URL": 188,
"CVE": 1,
"domain": 316,
"email": 2,
"hostname": 829
},
"indicator_count": 3276,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b74dad85b8b1c8291913b6",
"name": "Trojan:Win32/InstallCore | Esurance | Amazonaws",
"description": "High Priority | \n https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject. | Found in https://www.esurance.com",
"modified": "2024-02-28T06:00:48.863000",
"created": "2024-01-29T07:03:09.687000",
"tags": [
"no expiration",
"filehashsha256",
"hostname",
"filehashmd5",
"expiration",
"filehashsha1",
"ipv4",
"domain",
"url https",
"url http",
"next",
"a domains",
"accept",
"ad tracker",
"all octoseek",
"amazons3",
"xcache",
"analyze",
"apache",
"cyber threat",
"defense",
"cyber",
"cyber defense",
"crypto",
"critical",
"creation date",
"covid19",
"copy",
"contacted",
"collections",
"code",
"cloudfront",
"click",
"botnet",
"body",
"block",
"best link",
"beds protector",
"backdoor",
"back",
"united",
"asnone",
"asn as133618",
"as27647",
"as24940 hetzner",
"as16552 tiggee",
"google",
"as15169",
"as133618",
"apple",
"apple ios",
"cymulate",
"date",
"defacement",
"default",
"default page",
"dock",
"dock domain",
"download",
"domains",
"emotet",
"encrypt",
"entries",
"evader",
"execution",
"evader",
"xamzexpires600",
"write",
"execution",
"windows module",
"module",
"shared modules",
"windows",
"win32",
"west domains",
"welcome",
"expiressun files files written firm collection germany unknown g",
"https urls",
"http url",
"url",
"collection",
"unknown",
"unique",
"twitter",
"tsara brashears",
"trojandropper",
"tracker",
"metro",
"tmobile",
"memcommit",
"meta",
"title error",
"threat report",
"threat analyzer",
"threat",
"t1129",
"suppobox",
"stop",
"steam route",
"stealer",
"status",
"showing",
"show",
"set cookie",
"search servers",
"server",
"servers",
"search",
"scan endpoints",
"meta",
"dns",
"samples",
"reverse",
"read c",
"ransom",
"push",
"submit",
"pulse",
"pulse pulses",
"proxima nova",
"province tx",
"precreate read",
"read",
"post",
"phishing site",
"pegasus",
"pe resource",
"path xcache",
"path",
"patch",
"paste",
"passive dns",
"open",
"nymaim",
"next",
"name servers",
"load",
"module",
"miss"
],
"references": [
"https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.",
"https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.msil/cymulate",
"display_name": "trojan.msil/cymulate",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
}
],
"attack_ids": [
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 490,
"FileHash-SHA1": 351,
"FileHash-SHA256": 1099,
"URL": 188,
"CVE": 1,
"domain": 316,
"email": 2,
"hostname": 829
},
"indicator_count": 3276,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b74da9d181a085eecc19b6",
"name": "Trojan:Win32/InstallCore | Esurance | Amazonaws",
"description": "High Priority | \n https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject. | Found in https://www.esurance.com",
"modified": "2024-02-28T06:00:48.863000",
"created": "2024-01-29T07:03:05.828000",
"tags": [
"no expiration",
"filehashsha256",
"hostname",
"filehashmd5",
"expiration",
"filehashsha1",
"ipv4",
"domain",
"url https",
"url http",
"next",
"a domains",
"accept",
"ad tracker",
"all octoseek",
"amazons3",
"xcache",
"analyze",
"apache",
"cyber threat",
"defense",
"cyber",
"cyber defense",
"crypto",
"critical",
"creation date",
"covid19",
"copy",
"contacted",
"collections",
"code",
"cloudfront",
"click",
"botnet",
"body",
"block",
"best link",
"beds protector",
"backdoor",
"back",
"united",
"asnone",
"asn as133618",
"as27647",
"as24940 hetzner",
"as16552 tiggee",
"google",
"as15169",
"as133618",
"apple",
"apple ios",
"cymulate",
"date",
"defacement",
"default",
"default page",
"dock",
"dock domain",
"download",
"domains",
"emotet",
"encrypt",
"entries",
"evader",
"execution",
"evader",
"xamzexpires600",
"write",
"execution",
"windows module",
"module",
"shared modules",
"windows",
"win32",
"west domains",
"welcome",
"expiressun files files written firm collection germany unknown g",
"https urls",
"http url",
"url",
"collection",
"unknown",
"unique",
"twitter",
"tsara brashears",
"trojandropper",
"tracker",
"metro",
"tmobile",
"memcommit",
"meta",
"title error",
"threat report",
"threat analyzer",
"threat",
"t1129",
"suppobox",
"stop",
"steam route",
"stealer",
"status",
"showing",
"show",
"set cookie",
"search servers",
"server",
"servers",
"search",
"scan endpoints",
"meta",
"dns",
"samples",
"reverse",
"read c",
"ransom",
"push",
"submit",
"pulse",
"pulse pulses",
"proxima nova",
"province tx",
"precreate read",
"read",
"post",
"phishing site",
"pegasus",
"pe resource",
"path xcache",
"path",
"patch",
"paste",
"passive dns",
"open",
"nymaim",
"next",
"name servers",
"load",
"module",
"miss"
],
"references": [
"https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.",
"https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "trojan.msil/cymulate",
"display_name": "trojan.msil/cymulate",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Nymaim",
"display_name": "Nymaim",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/InstallCore",
"display_name": "Trojan:Win32/InstallCore",
"target": "/malware/Trojan:Win32/InstallCore"
}
],
"attack_ids": [
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 490,
"FileHash-SHA1": 351,
"FileHash-SHA256": 1099,
"URL": 188,
"CVE": 1,
"domain": 316,
"email": 2,
"hostname": 829
},
"indicator_count": 3276,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "781 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a756ee3c8ce2314e235a",
"name": "Home Networks",
"description": "",
"modified": "2023-12-06T16:54:46.263000",
"created": "2023-12-06T16:54:46.263000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 290,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2298,
"FileHash-SHA256": 24535,
"FileHash-MD5": 7197,
"URL": 1188,
"hostname": 2636,
"JA3": 2,
"email": 96,
"CVE": 44,
"FileHash-SHA1": 7174
},
"indicator_count": 45170,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 114,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a0d760557004620f409f",
"name": "Kelowna Mental Health",
"description": "",
"modified": "2023-12-06T16:27:03.467000",
"created": "2023-12-06T16:27:03.467000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 715,
"CVE": 20,
"FileHash-MD5": 8943,
"FileHash-SHA256": 37374,
"FileHash-SHA1": 8939,
"JA3": 11,
"domain": 497,
"URL": 408,
"email": 38,
"FilePath": 1
},
"indicator_count": 56946,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709e245df26a29e78d740a",
"name": "WHO IS MOBI GAMES AKA NIC",
"description": "",
"modified": "2023-12-06T16:15:32.595000",
"created": "2023-12-06T16:15:32.595000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2428,
"FileHash-MD5": 19,
"URL": 2378,
"hostname": 3144,
"FileHash-SHA256": 307,
"email": 87,
"CVE": 47,
"CIDR": 1,
"FileHash-SHA1": 6
},
"indicator_count": 8417,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709e1db42d958b88f07ca8",
"name": "WHO IS MOBI GAMES AKA NIC",
"description": "",
"modified": "2023-12-06T16:15:25.303000",
"created": "2023-12-06T16:15:25.303000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2428,
"FileHash-MD5": 19,
"URL": 2378,
"hostname": 3141,
"FileHash-SHA256": 307,
"email": 87,
"CVE": 47,
"CIDR": 1,
"FileHash-SHA1": 6
},
"indicator_count": 8414,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709e14974bdb5d6dbda091",
"name": "WHO EVERYONE HAS BEEN LOOKING FOR",
"description": "",
"modified": "2023-12-06T16:15:16.406000",
"created": "2023-12-06T16:15:16.406000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2066,
"URL": 1939,
"hostname": 2768,
"FileHash-SHA256": 276,
"email": 90,
"CVE": 47,
"CIDR": 1,
"FileHash-MD5": 16,
"FileHash-SHA1": 4
},
"indicator_count": 7207,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709dd6926a5676de0e2a19",
"name": "Who is SHAW.CA (TUSCOW DOMAINS)",
"description": "",
"modified": "2023-12-06T16:14:13.668000",
"created": "2023-12-06T16:14:13.668000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2427,
"FileHash-SHA256": 24528,
"FileHash-MD5": 7187,
"URL": 1346,
"hostname": 2829,
"JA3": 2,
"email": 99,
"CVE": 43,
"FileHash-SHA1": 7164
},
"indicator_count": 45625,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709ca13f7a17df14af4912",
"name": "WHO IS NIC",
"description": "",
"modified": "2023-12-06T16:09:05.625000",
"created": "2023-12-06T16:09:05.625000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2485,
"FileHash-MD5": 39,
"URL": 2407,
"hostname": 3208,
"FileHash-SHA256": 328,
"email": 91,
"CVE": 45,
"CIDR": 1,
"FileHash-SHA1": 26
},
"indicator_count": 8630,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709a49ed44fea53e9aeec5",
"name": "home networks",
"description": "",
"modified": "2023-12-06T15:59:05.075000",
"created": "2023-12-06T15:59:05.075000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2298,
"FileHash-SHA256": 24535,
"FileHash-MD5": 7197,
"URL": 1188,
"hostname": 2636,
"JA3": 2,
"email": 96,
"CVE": 44,
"FileHash-SHA1": 7174
},
"indicator_count": 45170,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657091100e9f5aa6eb534fb4",
"name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue",
"description": "",
"modified": "2023-12-06T15:19:44.839000",
"created": "2023-12-06T15:19:44.839000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2410,
"hostname": 3653,
"domain": 2723,
"URL": 442
},
"indicator_count": 9228,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653d93d7558363942a332cd9",
"name": "CVE-2023-43694",
"description": "",
"modified": "2023-11-27T23:02:02.229000",
"created": "2023-10-28T23:05:59.680000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"URL": 775,
"FileHash-SHA1": 549,
"domain": 453,
"hostname": 292,
"email": 5,
"FileHash-SHA256": 2610,
"FileHash-MD5": 586
},
"indicator_count": 5272,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 83,
"modified_text": "873 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64944a718c48be8bb9d2c315",
"name": "WHO IS NIC",
"description": "",
"modified": "2023-11-14T06:01:29.027000",
"created": "2023-06-22T13:19:45.357000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5199,
"domain": 4162,
"hostname": 5260,
"email": 105,
"FileHash-SHA256": 761,
"FileHash-MD5": 40,
"CVE": 97,
"FileHash-SHA1": 28,
"CIDR": 1
},
"indicator_count": 15653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 96,
"modified_text": "887 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653f1b78e5e7e24debcdd89b",
"name": "Home Networks",
"description": "",
"modified": "2023-10-30T02:56:56.851000",
"created": "2023-10-30T02:56:56.851000",
"tags": [
"home wifi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65136f65f7240bd2ba4b325c",
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3274,
"URL": 2565,
"hostname": 3853,
"FileHash-MD5": 12061,
"FileHash-SHA1": 12035,
"FileHash-SHA256": 57447,
"CVE": 68,
"IPv4": 84,
"email": 109,
"JA3": 2
},
"indicator_count": 91498,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "902 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653f1b77c1090397a32b6979",
"name": "Home Networks",
"description": "",
"modified": "2023-10-30T02:56:55.293000",
"created": "2023-10-30T02:56:55.293000",
"tags": [
"home wifi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65136f65f7240bd2ba4b325c",
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3274,
"URL": 2565,
"hostname": 3853,
"FileHash-MD5": 12061,
"FileHash-SHA1": 12035,
"FileHash-SHA256": 57447,
"CVE": 68,
"IPv4": 84,
"email": 109,
"JA3": 2
},
"indicator_count": 91498,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "902 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653f1b744f82ff189926035a",
"name": "Home Networks",
"description": "",
"modified": "2023-10-30T02:56:52.243000",
"created": "2023-10-30T02:56:52.243000",
"tags": [
"home wifi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65136f65f7240bd2ba4b325c",
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3274,
"URL": 2565,
"hostname": 3853,
"FileHash-MD5": 12061,
"FileHash-SHA1": 12035,
"FileHash-SHA256": 57447,
"CVE": 68,
"IPv4": 84,
"email": 109,
"JA3": 2
},
"indicator_count": 91498,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "902 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64e9896df7ea5c41750e6aac",
"name": "Kelowna Mental Health",
"description": "",
"modified": "2023-10-14T00:01:59.166000",
"created": "2023-08-26T05:11:09.863000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 785,
"domain": 550,
"email": 38,
"URL": 511,
"CVE": 21,
"FileHash-MD5": 15725,
"FileHash-SHA1": 15719,
"FileHash-SHA256": 67914,
"JA3": 11,
"FilePath": 1
},
"indicator_count": 101275,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 88,
"modified_text": "918 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65136f65f7240bd2ba4b325c",
"name": "Home Networks",
"description": "",
"modified": "2023-09-26T23:55:17.763000",
"created": "2023-09-26T23:55:17.763000",
"tags": [
"home wifi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "645a0d4c0e0c3cffd34ec23a",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3274,
"URL": 2565,
"hostname": 3853,
"FileHash-MD5": 12061,
"FileHash-SHA1": 12035,
"FileHash-SHA256": 57447,
"CVE": 68,
"IPv4": 84,
"email": 109,
"JA3": 2
},
"indicator_count": 91498,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "935 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64c0e9db04ed02765f336f16",
"name": "Who is Joel lesperance",
"description": "",
"modified": "2023-09-23T01:05:28.173000",
"created": "2023-07-26T09:39:39.925000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64944a718c48be8bb9d2c315",
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3852,
"domain": 2401,
"hostname": 3458,
"email": 127,
"FileHash-SHA256": 637,
"FileHash-MD5": 16,
"CVE": 108,
"FileHash-SHA1": 6
},
"indicator_count": 10605,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 85,
"modified_text": "939 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64ab412e96e4858e508978c7",
"name": "rogers",
"description": "",
"modified": "2023-09-07T00:03:31.457000",
"created": "2023-07-09T23:22:22.861000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1132,
"hostname": 1682,
"URL": 520,
"CVE": 94,
"email": 87,
"FileHash-SHA256": 3120,
"FileHash-MD5": 608,
"FileHash-SHA1": 605
},
"indicator_count": 7848,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 87,
"modified_text": "955 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64ab46ec79ba3a3f9f859541",
"name": "rogers",
"description": "",
"modified": "2023-09-07T00:03:31.457000",
"created": "2023-07-09T23:46:52.829000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 33,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 707,
"hostname": 1550,
"domain": 940,
"CVE": 94,
"email": 84,
"FileHash-SHA256": 25,
"FileHash-MD5": 2
},
"indicator_count": 3402,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 88,
"modified_text": "955 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64c17dc34265fd1359962a8a",
"name": "Who is SHAW.CA (TUSCOW DOMAINS)",
"description": "",
"modified": "2023-08-31T23:01:13.597000",
"created": "2023-07-26T20:10:43.473000",
"tags": [
"home wifi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "645a0d4c0e0c3cffd34ec23a",
"export_count": 299,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3539,
"URL": 3403,
"hostname": 4473,
"FileHash-MD5": 12051,
"FileHash-SHA1": 12025,
"FileHash-SHA256": 57441,
"CVE": 63,
"IPv4": 84,
"email": 112,
"JA3": 2
},
"indicator_count": 93193,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 84,
"modified_text": "961 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64c8267397a7cce9adeecaa0",
"name": "SAV.COM WHO IS SOURCEADULT.COM",
"description": "",
"modified": "2023-08-31T20:05:29.053000",
"created": "2023-07-31T21:24:03.974000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64c0e9db04ed02765f336f16",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3868,
"domain": 2452,
"hostname": 3586,
"email": 134,
"FileHash-SHA256": 668,
"FileHash-MD5": 17,
"CVE": 109,
"FileHash-SHA1": 7
},
"indicator_count": 10841,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 85,
"modified_text": "962 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64c826748caebf09e24fbd12",
"name": "SAV.COM WHO IS SOURCEADULT.COM",
"description": "",
"modified": "2023-08-31T19:04:41.183000",
"created": "2023-07-31T21:24:04.985000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64c0e9db04ed02765f336f16",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3904,
"domain": 2435,
"hostname": 3625,
"email": 131,
"FileHash-SHA256": 637,
"FileHash-MD5": 16,
"CVE": 109,
"FileHash-SHA1": 6
},
"indicator_count": 10863,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 83,
"modified_text": "962 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64c3210e7bb5f0a9972175ba",
"name": "WHO EVERYONE HAS BEEN LOOKING FOR",
"description": "",
"modified": "2023-08-31T00:02:54.189000",
"created": "2023-07-28T01:59:42.114000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64944a718c48be8bb9d2c315",
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4204,
"domain": 3263,
"hostname": 4282,
"email": 103,
"FileHash-SHA256": 638,
"FileHash-MD5": 17,
"CVE": 97,
"FileHash-SHA1": 6,
"CIDR": 1
},
"indicator_count": 12611,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 85,
"modified_text": "962 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "645a0d4c0e0c3cffd34ec23a",
"name": "home networks",
"description": "home wifi",
"modified": "2023-08-30T03:05:36.781000",
"created": "2023-05-09T09:07:24.476000",
"tags": [
"home wifi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3274,
"URL": 2565,
"hostname": 3853,
"FileHash-MD5": 12061,
"FileHash-SHA1": 12035,
"FileHash-SHA256": 57447,
"CVE": 68,
"IPv4": 84,
"email": 109,
"JA3": 2
},
"indicator_count": 91498,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 94,
"modified_text": "963 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64c446d9fa11016096a06f61",
"name": "WHO IS MOBI GAMES AKA NIC",
"description": "",
"modified": "2023-08-30T00:00:55.061000",
"created": "2023-07-28T22:53:13.536000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64944a718c48be8bb9d2c315",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5170,
"domain": 4105,
"hostname": 5183,
"email": 100,
"FileHash-SHA256": 740,
"FileHash-MD5": 20,
"CVE": 97,
"FileHash-SHA1": 8,
"CIDR": 1
},
"indicator_count": 15424,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 83,
"modified_text": "963 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64c446dacd742b956b571f9a",
"name": "WHO IS MOBI GAMES AKA NIC",
"description": "",
"modified": "2023-08-30T00:00:55.061000",
"created": "2023-07-28T22:53:14.751000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64944a718c48be8bb9d2c315",
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5170,
"domain": 4104,
"hostname": 5186,
"email": 100,
"FileHash-SHA256": 740,
"FileHash-MD5": 20,
"CVE": 98,
"FileHash-SHA1": 8,
"CIDR": 1
},
"indicator_count": 15427,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 84,
"modified_text": "963 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64e968d70cd309a42bf26bce",
"name": "Hackers operate a Spotify account. Dark Web Malware https://applepaytesting.spotify.com - Welcome to nginx!",
"description": "https://applepaytesting.spotify.com. Greeting: Welcome to nginx!\nHackers operate a Spotify account.from the Dark Web in part of a rather large cyber warfare attack on an individual with a small business.",
"modified": "2023-08-26T02:52:07.897000",
"created": "2023-08-26T02:52:07.897000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2,
"FileHash-SHA256": 7
},
"indicator_count": 9,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "967 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64e3217fe15aa85db6c1b1be",
"name": "Welcome to nginx!",
"description": "Nginx is a web server designed to make websites look more like web-based, rather than in-house, and that is the only option available on the web for web users to use.",
"modified": "2023-08-21T08:34:07.671000",
"created": "2023-08-21T08:34:07.671000",
"tags": [
"welcome",
"thank"
],
"references": [
"http://nginx.clouddefenseai.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OGsizzle",
"id": "249379",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2
},
"indicator_count": 2,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 27,
"modified_text": "972 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64738158d6da7115bc4ba9ae",
"name": "v2 with hybrid data 46XKY8QY.htm",
"description": "The following has been described as \"highly suspicious\" and \"suspicious\" by a number of people on social media, including those who are known to have been caught up in a security breach.",
"modified": "2023-06-27T12:03:43.609000",
"created": "2023-05-28T16:29:12.410000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"ansi",
"memoryfile scan",
"dropped file",
"runtime data",
"microsoft",
"dumps",
"file string",
"unicode",
"null",
"varchar",
"june",
"facebook",
"error",
"bank",
"close",
"code",
"date",
"roboto",
"explorer",
"meta",
"body",
"blink",
"win64",
"entity",
"copia",
"generator",
"format",
"later",
"grazie",
"back",
"batal",
"comment",
"suspicious",
"cookie",
"contact",
"import",
"next",
"magic",
"internal",
"window",
"blank",
"void",
"verify",
"service",
"fail",
"media",
"alla",
"enjoy",
"infinity",
"yang",
"mini",
"webview",
"4629",
"false",
"path",
"hybrid",
"click",
"hosts",
"valentine",
"mask",
"general",
"strings",
"team",
"april",
"qakbot",
"welcome",
"thank",
"fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de"
],
"references": [
"http://peoplesservicz.com/",
"fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de",
"https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de",
"https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de/647341991c874a18be0049f5"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1213",
"name": "Data from Information Repositories",
"display_name": "T1213 - Data from Information Repositories"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1253,
"URL": 3938,
"domain": 1087,
"FileHash-SHA256": 80,
"FileHash-MD5": 37,
"FileHash-SHA1": 25
},
"indicator_count": 6420,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "1027 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15",
"https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:",
"I am very upset. Whoever is doing this is sick.",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"http://consolefoundry.date/one/gate.php",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"http://connectivitycheck.gstatic.com/generate_204 [RAT]",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"https://es.pornhat.com/models/the-sex-creator/",
"https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/",
"C2: \u2022 xred.mooo.com | Xred backdoor detected",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"iamrobert.com Y.A.S.",
"Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net",
"servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif",
"https://otx.alienvault.com/pulse/637d62b085a09abca4d6020f",
"webdisk.thehomemakers.nl",
"DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}",
"High Priority Alerts: antisandbox_unhook antivirus_virustotal",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"https://otx.alienvault.com/pulse/678f0dbdbc59dd2ea5656dcf",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"https://opensource.apple.com/source/security_certificates/",
"High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f",
"https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+",
"\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com",
"https://jaffacakes118.dev/analysis/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Relationships below | https://otx.alienvault.com/indicator/file/f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde",
"prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"2012647\tDropbox.com Offsite File Backup in Use",
"Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d",
"https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/",
"https://gujarati.ent24x7.comb [RAT]",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/",
"https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs RULE_AUTHOR: X__Junior",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US",
"aohhpesayw.lawsonengineers.co.",
"https://otx.alienvault.com/malware/Trojan:Win32%2FInstallCore/",
"DoD Network Information Center (DNIC)",
"Christoper Ahmann work photo: https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"consolefoundry.date \u2022 http://consolefoundry.date",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"target.dropboxbusiness.com",
"https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de/647341991c874a18be0049f5",
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com",
"https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"https://www.hallrender.com/attorney/brian-sabey",
"message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc",
"https://www.google.com/search",
"YARA Detections: WinRAR_SFX",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.",
"https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3",
"http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6",
"(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve",
"https://crt.sh/?graph=410492573&opt=nometadata",
"Found in this pulse targeting SA victim | https://otx.alienvault.com/pulse/691f4d4ef0a2a570b8b21cd2",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html",
"https://www.sweetheartvideo.com/tsara-brashears",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]",
"http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"Target agreed and complied with all lie detector measures.",
"https://cym-files-download.s3.eu-west-1.amazonaws.com/exploit-kit/CVE-2017-0037.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAJPJC2Q3D5GWFTK3Q/20221112/eu-west-1/s3/aws4_request&X-Amz-Date=20221112T011612Z&X-Amz-Expires=600&X-Amz-Signature=d7920434ca748c3bd795457c7dd013380cf2d7e6b99ecf4711569c5590c6b3c0&X-Amz-SignedHeaders=host&x-id=GetObject.",
"metropcs.com/account/sign-in.html",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html",
"https://crt.sh/?q=videolal.com",
"https://otx.alienvault.com/pulse/64d65255c80d866add600bac",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST)",
"https://therahand.com",
"Name Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://tulach.cc/socrative/internal.js",
"Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1",
"videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com",
"brain-portal.net",
"http://www.hallrender.com/attorney/brian-sabey |",
"https://meumundogay-com.sexogratis.page/locker",
"303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"https://bd-server.com/user/JasminMcVey2/",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html",
"http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/",
"https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com",
"http://peoplesservicz.com/",
"http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!",
"https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1",
"manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]",
"alohatube.xyz [keylogger aimed at Tsara Brashears]",
"https://www.sweetheartvideo.com/tsara-brashearsAccept-Language",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry.date/one/gate.php",
"Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems",
"videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]",
"notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"https://alohatube.xyz/search/tsara-brashears",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"afraid.org | evergreen.afraid.org",
"dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu",
"video-lal.com/videos/sandra-richter-video.html",
"https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com",
"Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.",
"http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com",
"Domain https://tamlegal.com/attorneys/christopher-p-ahmann/",
"BinBusyBox: 0x.un5t48l3.host",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"Python Wheel package",
"www.pornhub.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"http://freedns.afraid.org/images/apple.gif",
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Large detailed pulse : https://otx.alienvault.com/pulse/6920c43c3772bb24f26f70cc",
"Alerts: packer_unknown",
"gitea.neconsside.com \u2022 http://f7194.vip/login",
"http://alohatube.xyz/search/tsara-brashears/",
"https://www.pornhub.com/video/search?search=tsara+brashears",
"https://www.sweetheartvideo.com/tsara-brashears/",
"admin@bigtits.com",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022",
"http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com",
"mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Can the DoD no questions asked target a SA victim",
"https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png",
"utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"trojan.msil.spammer.ai = spammer.ai",
"Crazy: video-lal.com/videos/michael-roberts.html",
"Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"interact.f5.com",
"http://www.proxydocker.com/ja/proxy/43.229.135.125:8080",
"https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://api.strem.io/api/addonCollectionGet%",
"IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://otx.alienvault.com/pulse/64cf438a574eae18716e5954",
"https://apps.apple.com/app/",
"https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com",
"https://gr.pinterest.com/emreimer/",
"Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no",
"http://alohatube.xyz/search/tsara-brashears",
"http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb",
"http://nginx.clouddefenseai.com/",
"Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"Christopher Ahmann @ play https://urlscan.io/screenshots/019aa896-590f-7069-b68a-3a3714d4332e.png",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html",
"Refuses to remove target from adult content \"tagging\"",
"http://www.pinterest.com/ideas/songwriting/945635263947/",
"https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0",
"https://otx.alienvault.com/pulse/66f31b9a0551ca166c872292",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"Malicious IP Contacted: 69.42.215.252",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n",
"AS24961 MyLoc Managed IT AG",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"http://45.159.189.105/bot/regex",
"162.159.208.8",
"https://www.red-gate.com/products/smartassembly",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"www.socialimages.reputationdatabase.com",
"Suspicious of NSO Pegasus type spyware campaign (possibly)",
"http://neurosky.jp",
"https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html",
"https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud",
"If someone is believed to be a threat they have right to due process.",
"Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |",
"Colorado maintains a public-facing police misconduct database via the state's",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n",
"https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/",
"http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"Palantir- http://freedns.afraid.org/images/apple.gif",
"http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://otx.alienvault.com/pulse/68788dfd4a0943cb318c7137",
"CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34",
"facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"https://freedns.afraid.org/images/exclamation",
"https://hybrid-analysis.com/sample/fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de",
"command_and_control : 42.250.147.101 \u2022 IPv4\t69.42.215.252",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"fb47468a2cd3953c7131431991afcc6a2703f14640520102eea0a685a7e8d6de",
"https://mwdb.cert.pl/file/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"[Unnamed group]",
"NSO Pegasus"
],
"malware_families": [
"Trojan.msil/cymulate",
"Neshta",
"Worm:win32/autorun!atmn",
"Sape.heur.9b552",
"Win.trojan.barys-10005825-0",
"#exploit:win32/cve- 2023 - 23397",
"Win.dropper.nanocore-10021490-0",
"Domains",
"Generic",
"Win.malware.qshell-9875653",
"Win32:trojanx-gen[trj]",
"Inmortal",
"Fakeav.for",
"Win.trojan.agent-306281",
"Elf:gafgyt-dz\\ [trj]",
"A variant of win32/kryptik.deoa",
"Elf:mirai-gh\\ [trj]",
"Worm:win32/autorun.xxy!bit",
"Win32:malob-db\\ [cryp]",
"Virtool:win32/obfuscator.ki",
"Nids",
"Malwarex-gen",
"Trojan:win32/zonsterarch",
"Win.malware.farfli-6824119-0",
"Malware",
"Worm:win32/mydoom",
"Alf:pulzati:worm:win32/mydoom",
"Worm:win32/autorun.b",
"Unix.trojan.mirai-5607483-0",
"Et",
"Alf:exploit:win32/gsharedinforef.a",
"Nymaim",
"Other malware",
"Trojan:win32/installcore",
"Trojan:win32/zusy",
"Win.downloader.small",
"Symantec",
"\u2019m",
"Win.trojan.emotet-9850453",
"Win.ransomware.sodinokibi-7013612-0",
"Et trojan",
"Worm:win32/macoute.a",
"Alf:jasyp:pua:win32/4shared",
"Win.trojan.blacknetrat-7838854-0",
"Trojandropper:win32/vb.il",
"Nod32",
"Win.malware.jaik-9968280-0",
"Psw:win32/vb.cu",
"Hacktool",
"Code overlap",
"Wannacry",
"Tofsee",
"Trojan:win32/pariham.a",
"Win.trojan.installcore-877",
"Trojan:win32/magania.dsk!mtb",
"Trojan:win32/comisproc!gmb",
"Suppobox",
"Mirai",
"Artro",
"Cobalt strike",
"Zegost",
"Pegasus",
"Trojan:vbs/metasploitvbscmdstager",
"Trojandownloader:win32/cutwail",
"Backdoor:win32/fynloski.a",
"Emotet",
"Tibs",
"Atros3.ahfb",
"C2087940",
"Foundry",
"Win32/darkwatchman",
"Worm:win32/autorun",
"Win.packed.remcos-10024510-0",
"Apnic",
"Spammer:msil/misnt.a",
"Kentuchy",
"Etpro"
],
"industries": [
"Civil society",
"Healthcare",
"Telecommunications",
"Civilian society",
"Media",
"Civilian",
"Technology",
"Education"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69b4976f33b3aeaa0fb81c6c",
"name": "Spam DarkWatchman - Christopher P Ahmann | Palantir/ Foundry | | Deleting IoCs ",
"description": "",
"modified": "2026-03-13T23:02:07.162000",
"created": "2026-03-13T23:02:07.162000",
"tags": [
"darkwatchman",
"trojan",
"dark comet",
"stop",
"palantir",
"foundry",
"tam legal",
"quasi government",
"xred",
"darkgate",
"elex",
"glassworm",
"autorun",
"workman\u2019s compensation",
"denver colorado",
"monitored target",
"targeting tsara brashears",
"assaulter jeffrey reimer",
"apple",
"targeting apple products",
"robert neill hit man",
"murderers",
"discovery",
"gather victim",
"run keys",
"startup",
"folder",
"modules",
"manipulation",
"execution",
"capture",
"persistence",
"virtual machine",
"brian sabey",
"rubin pusha",
"psyops",
"law enforcement",
"tony spurlock",
"cyber crime",
"physical crime",
"reputation damage",
"malicious media",
"illegal",
"stalking",
"false imprisonment",
"swatting",
"c2",
"cnc",
"infiltration",
"software",
"encoding",
"match peb",
"peb idrdata",
"getprocaddress",
"file attributes",
"e1113",
"execu",
"autostart",
"logon",
"shared modules",
"windows match",
"hires hit men",
"legal entities",
"government contractors",
"sheriff",
"afraid",
"boot",
"financial exploitation",
"hacking",
"phishing",
"chaos",
"tools",
"illegal",
"targeting dropbox",
"remote. attacks",
"att long lines",
"ids detections",
"yara detections",
"filehash",
"pulse pulses",
"av detections",
"alerts",
"analysis date",
"file score",
"worm",
"dns update",
"shgetmalloc",
"delphi",
"dllimport",
"read c",
"write c",
"search",
"wsasend",
"intptr",
"post",
"create c",
"instrumentation",
"null",
"write",
"service",
"malware",
"main",
"look",
"install",
"wmi",
"et trojan",
"drive content",
"truth",
"name",
"query",
"dynamic dns",
"update request",
"myapp",
"zeppelin30",
"bobsoft mini",
"bobsoft",
"patrick",
"anyxxx"
],
"references": [
"Domain https://tamlegal.com/attorneys/christopher-p-ahmann/",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Malicious IP Contacted: 69.42.215.252",
"Found in this pulse targeting SA victim | https://otx.alienvault.com/pulse/691f4d4ef0a2a570b8b21cd2",
"Large detailed pulse : https://otx.alienvault.com/pulse/6920c43c3772bb24f26f70cc",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"Palantir- http://freedns.afraid.org/images/apple.gif",
"C2: \u2022 xred.mooo.com | Xred backdoor detected",
"https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs RULE_AUTHOR: X__Junior",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST)",
"Relationships below | https://otx.alienvault.com/indicator/file/f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d",
"https://otx.alienvault.com/pulse/68788dfd4a0943cb318c7137",
"https://otx.alienvault.com/pulse/678f0dbdbc59dd2ea5656dcf",
"https://otx.alienvault.com/pulse/66f31b9a0551ca166c872292",
"https://otx.alienvault.com/pulse/637d62b085a09abca4d6020f",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://mwdb.cert.pl/file/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"https://jaffacakes118.dev/analysis/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"command_and_control : 42.250.147.101 \u2022 IPv4\t69.42.215.252",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Christoper Ahmann work photo: https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"Christopher Ahmann @ play https://urlscan.io/screenshots/019aa896-590f-7069-b68a-3a3714d4332e.png",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Qshell-9875653",
"display_name": "Win.Malware.Qshell-9875653",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win32/DarkWatchman",
"display_name": "Win32/DarkWatchman",
"target": null
},
{
"id": "ET TROJAN",
"display_name": "ET TROJAN",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1078",
"name": "Valid Accounts",
"display_name": "T1078 - Valid Accounts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Civil Society"
],
"TLP": "white",
"cloned_from": "6920f8345100dc513679661e",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 15,
"URL": 115,
"FileHash-MD5": 23,
"FileHash-SHA1": 17,
"FileHash-SHA256": 57,
"hostname": 45
},
"indicator_count": 272,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "36 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695555b664c8998371393b8f",
"name": "\u200emyMetro App - App Store \u2022 Access Attack via iOS App",
"description": "Apple iOS attack. Drive by compromise. Device fully compromised. Service provider incorrect. Device user does not use MetroPCS as Cellular carrier. \n\n#cyberwarfare #pegasus #endgame #apple #earsinthecornfield #compromised_device #zombie",
"modified": "2026-01-30T16:01:37.437000",
"created": "2025-12-31T16:56:22.577000",
"tags": [
"espaol",
"metro pcs",
"metro",
"english",
"data",
"privacy",
"learn",
"requires",
"strong",
"see all",
"bernie",
"mint",
"never",
"example",
"click",
"indonesia",
"\u2019m",
"win32mydoom dec",
"united",
"trojan",
"name servers",
"servers",
"expiration date",
"backdoor",
"found",
"passive dns",
"gmt connection",
"control",
"content type",
"twitter",
"title",
"aaaa",
"ember cli",
"ember view",
"certificate",
"win32",
"invalid url",
"body html",
"head title",
"title head",
"body h1",
"reference",
"urls",
"akamai",
"unknown ns",
"domain",
"search",
"ipv4",
"files",
"reverse dns",
"location united",
"america flag",
"america asn",
"dynamicloader",
"port",
"high",
"medium",
"windows",
"displayname",
"write",
"destination",
"tofsee",
"stream",
"malware",
"hostile",
"read c",
"show",
"rgba",
"unicode",
"whitelisted",
"memcommit",
"delete",
"execution",
"dock",
"persistence",
"msie",
"chrome",
"ip address",
"otx telemetry",
"unknown soa",
"gmt content",
"for privacy",
"moved",
"record value",
"ubuntu date",
"encrypt",
"a domains",
"welcome",
"type",
"content length",
"ipv4 add",
"url analysis",
"accept",
"overview domain",
"files ip",
"address",
"location france",
"asn as16276",
"tags none",
"indicator facts",
"historical otx",
"france unknown",
"ovhcloud meta",
"domain add",
"present dec",
"status",
"service",
"win32cutwail",
"setcookie",
"gmt server",
"refloadapihash",
"virtool",
"present nov",
"present oct",
"all ipv4",
"hostname",
"present jul",
"saudi arabia",
"present mar",
"present jun",
"present feb",
"entries",
"france asn",
"asn as16509",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"ascii text",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"hybrid",
"local",
"path",
"strings",
"delete c",
"okrndate",
"grum",
"powershell",
"pegasus",
"unknown",
"crlf line",
"ff d5",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"f0 ff",
"ff bb",
"push",
"autorun",
"suspicious",
"pulse pulses",
"date",
"music",
"apple",
"apple id",
"show process",
"flag",
"markmonitor",
"name tactics",
"informative",
"command",
"adversaries",
"spawns",
"access att",
"t1566 phishing",
"zerobits",
"allocationtype",
"protect",
"programfiles",
"processhandle",
"commitsize",
"viewsize",
"regionsize",
"handles modules",
"files amsi",
"filehandle",
"path filehandle",
"porthandle",
"copy md5",
"copy sha1",
"copy sha256",
"href",
"null",
"refresh",
"body",
"span",
"general",
"error",
"tools",
"look",
"verify",
"restart",
"html",
"x22scriptx22",
"binary file",
"t1189",
"cyberwarfare",
"brian sabey",
"never say anything",
"christopher ahmann",
"colorado state",
"quasi",
"zombie device",
"present may",
"emails",
"exif standard",
"tiff image",
"windows nt",
"wow64",
"slcc2",
"media center",
"jpeg image",
"copy",
"next",
"pecompact",
"february",
"packer",
"delphi",
"code",
"tlsv1",
"ogoogle trust",
"xserver",
"lowfi",
"creation date",
"domain name",
"showing",
"ids detections",
"yara detections",
"worm",
"arial",
"present aug",
"meta",
"dns domain",
"site",
"free dns",
"msil",
"dnssec",
"penetration",
"injections",
"dead host"
],
"references": [
"https://apps.apple.com/app/",
"metropcs.com/account/sign-in.html",
"smtp.google.com \u2022 www.google.com/images/errors/robot.png",
"https://www.endgamesystems.com/ \u2022 https://www.endgames.com/",
"https://freedns.afraid.org/images/exclamation",
"xred.mooo.com \u2022 mooo.com \u2022 afraid.org",
"admin@bigtits.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "\u2019m",
"display_name": "\u2019m",
"target": null
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Worm:Win32/Mydoom",
"display_name": "Worm:Win32/Mydoom",
"target": "/malware/Worm:Win32/Mydoom"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Win.Trojan.Installcore-877",
"display_name": "Win.Trojan.Installcore-877",
"target": null
},
{
"id": "Win.Downloader.Small",
"display_name": "Win.Downloader.Small",
"target": null
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
},
{
"id": "Tibs",
"display_name": "Tibs",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/4Shared",
"display_name": "ALF:JASYP:PUA:Win32/4Shared",
"target": null
}
],
"attack_ids": [
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1589",
"name": "Gather Victim Identity Information",
"display_name": "T1589 - Gather Victim Identity Information"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1195.001",
"name": "Compromise Software Dependencies and Development Tools",
"display_name": "T1195.001 - Compromise Software Dependencies and Development Tools"
},
{
"id": "T1577",
"name": "Compromise Application Executable",
"display_name": "T1577 - Compromise Application Executable"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1863,
"URL": 4952,
"FileHash-SHA256": 1990,
"FileHash-MD5": 981,
"FileHash-SHA1": 791,
"email": 26,
"domain": 1277,
"SSLCertFingerprint": 24
},
"indicator_count": 11904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "79 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "96 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "102 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6920f8345100dc513679661e",
"name": "DarkWatchman - Christopher P Ahmann | Palantir/ Foundry | The \u2018small pulse\u2019 version",
"description": "Christopher P. Ahmann is a darkwatchman. Type: \u2018 I feel disenfranchised \u2019 Totally inappropriate behavior.\nA dangerous thinker, planner , enlister , and actor. If you spend this much time trying to kill one person just think of how many others.\n\nPalantir - Playing God.\nPeter Theil - A serial entrepreneur. He\u2019ll allow a few dozen people to live if asked.\nHe is a Christian! Afraid of an apocalypse he\u2019s causing but not God. Peter of the Bible betrayed Jesus of Nazareth NOT Israel (1948 people) ironically before he \u2018cock\u2019 crowed 3 times.. \n(Calm down Tsara had true Jewish DNA) \n\nAlexander Karp - Seriously? Karp Quotes: Were doin\u2019 it!\u2019 \u2018 I want to douse crowds of people with fentanyl laced urine and make people poor!\u2019 \u2018We kill Palestinians! It\u2019s us!\u2019 He would have killed for free \n\nThe Y.A.S post wasn\u2019t added or approved by me. I\u2019m the lead but only 1 of 16 researchers. We get upset.",
"modified": "2025-12-21T22:00:16.311000",
"created": "2025-11-21T23:39:32.424000",
"tags": [
"darkwatchman",
"trojan",
"dark comet",
"stop",
"palantir",
"foundry",
"tam legal",
"quasi government",
"xred",
"darkgate",
"elex",
"glassworm",
"autorun",
"workman\u2019s compensation",
"denver colorado",
"monitored target",
"targeting tsara brashears",
"assaulter jeffrey reimer",
"apple",
"targeting apple products",
"robert neill hit man",
"murderers",
"discovery",
"gather victim",
"run keys",
"startup",
"folder",
"modules",
"manipulation",
"execution",
"capture",
"persistence",
"virtual machine",
"brian sabey",
"rubin pusha",
"psyops",
"law enforcement",
"tony spurlock",
"cyber crime",
"physical crime",
"reputation damage",
"malicious media",
"illegal",
"stalking",
"false imprisonment",
"swatting",
"c2",
"cnc",
"infiltration",
"software",
"encoding",
"match peb",
"peb idrdata",
"getprocaddress",
"file attributes",
"e1113",
"execu",
"autostart",
"logon",
"shared modules",
"windows match",
"hires hit men",
"legal entities",
"government contractors",
"sheriff",
"afraid",
"boot",
"financial exploitation",
"hacking",
"phishing",
"chaos",
"tools",
"illegal",
"targeting dropbox",
"remote. attacks",
"att long lines",
"ids detections",
"yara detections",
"filehash",
"pulse pulses",
"av detections",
"alerts",
"analysis date",
"file score",
"worm",
"dns update",
"shgetmalloc",
"delphi",
"dllimport",
"read c",
"write c",
"search",
"wsasend",
"intptr",
"post",
"create c",
"instrumentation",
"null",
"write",
"service",
"malware",
"main",
"look",
"install",
"wmi",
"et trojan",
"drive content",
"truth",
"name",
"query",
"dynamic dns",
"update request",
"myapp",
"zeppelin30",
"bobsoft mini",
"bobsoft",
"patrick",
"anyxxx"
],
"references": [
"Domain https://tamlegal.com/attorneys/christopher-p-ahmann/",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Malicious IP Contacted: 69.42.215.252",
"Found in this pulse targeting SA victim | https://otx.alienvault.com/pulse/691f4d4ef0a2a570b8b21cd2",
"Large detailed pulse : https://otx.alienvault.com/pulse/6920c43c3772bb24f26f70cc",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"Palantir- http://freedns.afraid.org/images/apple.gif",
"C2: \u2022 xred.mooo.com | Xred backdoor detected",
"https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs RULE_AUTHOR: X__Junior",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST)",
"Relationships below | https://otx.alienvault.com/indicator/file/f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d",
"https://otx.alienvault.com/pulse/68788dfd4a0943cb318c7137",
"https://otx.alienvault.com/pulse/678f0dbdbc59dd2ea5656dcf",
"https://otx.alienvault.com/pulse/66f31b9a0551ca166c872292",
"https://otx.alienvault.com/pulse/637d62b085a09abca4d6020f",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://mwdb.cert.pl/file/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"https://jaffacakes118.dev/analysis/d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"command_and_control : 42.250.147.101 \u2022 IPv4\t69.42.215.252",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Christoper Ahmann work photo: https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"Christopher Ahmann @ play https://urlscan.io/screenshots/019aa896-590f-7069-b68a-3a3714d4332e.png",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Qshell-9875653",
"display_name": "Win.Malware.Qshell-9875653",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win32/DarkWatchman",
"display_name": "Win32/DarkWatchman",
"target": null
},
{
"id": "ET TROJAN",
"display_name": "ET TROJAN",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1078",
"name": "Valid Accounts",
"display_name": "T1078 - Valid Accounts"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 15,
"URL": 115,
"FileHash-MD5": 23,
"FileHash-SHA1": 17,
"FileHash-SHA256": 57,
"hostname": 45
},
"indicator_count": 272,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "119 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "119 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68feb98a8c1b75b4431a3e8e",
"name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?",
"description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.",
"modified": "2025-11-25T20:05:31.749000",
"created": "2025-10-27T00:15:06.191000",
"tags": [
"html internet",
"html document",
"ascii text",
"language",
"cve202323397",
"iframe tags",
"tag manager",
"gtmkvjvztk",
"anchor hrefs",
"info ta0011",
"protocol",
"layer protocol",
"port",
"t1571 encrypted",
"channel",
"t1573 malware",
"tree",
"oc0006 http",
"c0014",
"get http",
"dns resolutions",
"resolved ips",
"user",
"data",
"datacrashpad",
"edge",
"v full",
"reports v",
"chrome u",
"appdata local",
"googlechrome u",
"u ser",
"cname",
"ip address",
"http",
"accept",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"shutdown",
"extraction",
"suggested iocs",
"data upload",
"cry dee",
"stop",
"type",
"url indicator",
"enter",
"failed",
"se share",
"extrac",
"enter so",
"passive dns",
"urls",
"hostname add",
"pulse pulses",
"files",
"domain",
"files ip",
"address",
"location united",
"asn as20473",
"dynamicloader",
"directui",
"write c",
"intel",
"ms windows",
"pe32",
"element",
"delete c",
"document file",
"v2 document",
"explorer",
"trojandropper",
"write",
"markus",
"august",
"movie",
"insert",
"pulse submit",
"url analysis",
"asn as8068",
"united",
"entries",
"body",
"please",
"x msedge",
"ipv4 add",
"present sep",
"present oct",
"present feb",
"status",
"unknown ns",
"search",
"name servers",
"present jul",
"aaaa",
"present apr",
"trojan",
"medium",
"high",
"yara rule",
"globalc",
"june",
"malware",
"win64",
"unknown",
"america flag",
"twitter",
"hostname",
"domain add",
"reverse dns",
"america asn",
"present aug",
"a domains",
"moved",
"first pqc",
"unknown aaaa",
"title",
"meta",
"window",
"encrypt",
"pulse indicator",
"body doctype",
"welcome",
"ok server",
"gmt content",
"atlanta",
"abuse",
"agent",
"service",
"present jun",
"present may",
"creation date",
"record value",
"servers",
"libretv meta",
"certificate",
"value",
"whois lookup",
"loopia ab",
"userlolxxl"
],
"references": [
"http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist",
"It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!",
"pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz",
"Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com",
"docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545",
"https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips",
"https://hs.ecam.com/your-challenges-ecams-solutions",
"https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022",
"https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/",
"Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wannacry",
"display_name": "Wannacry",
"target": null
},
{
"id": "Foundry",
"display_name": "Foundry",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb",
"display_name": "Trojan:Win32/Comisproc!gmb",
"target": "/malware/Trojan:Win32/Comisproc!gmb"
},
{
"id": "Trojandropper:Win32/VB.IL",
"display_name": "Trojandropper:Win32/VB.IL",
"target": "/malware/Trojandropper:Win32/VB.IL"
},
{
"id": "#Exploit:Win32/CVE- 2023 - 23397",
"display_name": "#Exploit:Win32/CVE- 2023 - 23397",
"target": "/malware/#Exploit:Win32/CVE- 2023 - 23397"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "ALF:PulZati:Worm:Win32/Mydoom",
"display_name": "ALF:PulZati:Worm:Win32/Mydoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 8,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 248,
"FileHash-SHA1": 134,
"FileHash-SHA256": 2661,
"URL": 6257,
"domain": 682,
"email": 8,
"hostname": 2077,
"CVE": 1
},
"indicator_count": 12068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "145 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f80c6bcd3fff3a4f126a68",
"name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ",
"description": "",
"modified": "2025-11-20T17:00:05.377000",
"created": "2025-10-21T22:42:51.657000",
"tags": [
"united",
"urls",
"domain",
"files",
"files ip",
"td td",
"td tr",
"a td",
"dynamic dns",
"arial",
"worm",
"trojandropper",
"meta",
"null",
"enough",
"hosts",
"win32",
"fast",
"present oct",
"present jul",
"present sep",
"present aug",
"moved",
"ip address",
"error",
"title",
"ipv4 add",
"url analysis",
"hosting",
"reverse dns",
"america flag",
"name servers",
"body",
"a domains",
"passive dns",
"welcome",
"ok server",
"gmt content",
"twitter",
"dynamicloader",
"write c",
"medium",
"myapp",
"high",
"host",
"delphi",
"write",
"code",
"malware",
"device driver",
"backdoor",
"msil",
"present mar",
"apanas",
"regsetvalueexa",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"langturkish",
"sublangdefault",
"regdword",
"persistence",
"execution",
"nids",
"zegost",
"trojan",
"win32fugrafa",
"malwarexgen att",
"ck ids",
"t1040",
"sniffing",
"location united",
"united states",
"KeyAuth Open-source Authentication System Domain (keyauth .win) ",
"yara rule",
"search",
"blobx00x00x00",
"guard",
"encrypt",
"afraid",
"smartphone",
"laptop",
"tablet",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"ascii text",
"size",
"mitre att",
"show technique",
"refresh",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"access att",
"t1566 phishing",
"font",
"pattern match",
"general",
"contact",
"premium",
"never",
"core",
"external system",
"http header",
"network traffic",
"sample",
"antivirus",
"systems found",
"ipurl artifact",
"network related",
"sends traffic",
"http outbound",
"hostname add",
"address",
"registrar",
"internet ltd",
"livedomains",
"creation date",
"hostname",
"domain add",
"modrg",
"sincpoatia",
"utf8",
"appdata",
"temp",
"fyfdz",
"iepgq",
"trlew",
"copy",
"kentuchy",
"oljnmrfghb",
"powershell",
"sabey",
"sokolove law"
],
"references": [
"afraid.org | evergreen.afraid.org",
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com",
"https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1",
"https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1",
"Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/",
"Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net",
"KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI",
"https://api.strem.io/api/addonCollectionGet%",
"http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am",
"aohhpesayw.lawsonengineers.co.",
"Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru",
"gitea.neconsside.com \u2022 http://f7194.vip/login",
"2012647\tDropbox.com Offsite File Backup in Use",
"target.dropboxbusiness.com",
"consolefoundry.date \u2022 http://consolefoundry.date",
"http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Neshta",
"display_name": "Neshta",
"target": null
},
{
"id": "Backdoor:Win32/Fynloski.A",
"display_name": "Backdoor:Win32/Fynloski.A",
"target": "/malware/Backdoor:Win32/Fynloski.A"
},
{
"id": "Zegost",
"display_name": "Zegost",
"target": null
},
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
},
{
"id": "MalwareX-Gen",
"display_name": "MalwareX-Gen",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Worm:Win32/AutoRun.B",
"display_name": "Worm:Win32/AutoRun.B",
"target": "/malware/Worm:Win32/AutoRun.B"
},
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "Kentuchy",
"display_name": "Kentuchy",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68f7ced2cf17d264b49628bc",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 483,
"hostname": 1397,
"URL": 2874,
"email": 2,
"FileHash-MD5": 369,
"FileHash-SHA1": 355,
"FileHash-SHA256": 1534,
"SSLCertFingerprint": 7
},
"indicator_count": 7021,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f7ced2cf17d264b49628bc",
"name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information",
"description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.",
"modified": "2025-11-20T17:00:05.377000",
"created": "2025-10-21T18:20:02.120000",
"tags": [
"united",
"urls",
"domain",
"files",
"files ip",
"td td",
"td tr",
"a td",
"dynamic dns",
"arial",
"worm",
"trojandropper",
"meta",
"null",
"enough",
"hosts",
"win32",
"fast",
"present oct",
"present jul",
"present sep",
"present aug",
"moved",
"ip address",
"error",
"title",
"ipv4 add",
"url analysis",
"hosting",
"reverse dns",
"america flag",
"name servers",
"body",
"a domains",
"passive dns",
"welcome",
"ok server",
"gmt content",
"twitter",
"dynamicloader",
"write c",
"medium",
"myapp",
"high",
"host",
"delphi",
"write",
"code",
"malware",
"device driver",
"backdoor",
"msil",
"present mar",
"apanas",
"regsetvalueexa",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"langturkish",
"sublangdefault",
"regdword",
"persistence",
"execution",
"nids",
"zegost",
"trojan",
"win32fugrafa",
"malwarexgen att",
"ck ids",
"t1040",
"sniffing",
"location united",
"united states",
"KeyAuth Open-source Authentication System Domain (keyauth .win) ",
"yara rule",
"search",
"blobx00x00x00",
"guard",
"encrypt",
"afraid",
"smartphone",
"laptop",
"tablet",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"sha256",
"sha1",
"ascii text",
"size",
"mitre att",
"show technique",
"refresh",
"span",
"hybrid",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"access att",
"t1566 phishing",
"font",
"pattern match",
"general",
"contact",
"premium",
"never",
"core",
"external system",
"http header",
"network traffic",
"sample",
"antivirus",
"systems found",
"ipurl artifact",
"network related",
"sends traffic",
"http outbound",
"hostname add",
"address",
"registrar",
"internet ltd",
"livedomains",
"creation date",
"hostname",
"domain add",
"modrg",
"sincpoatia",
"utf8",
"appdata",
"temp",
"fyfdz",
"iepgq",
"trlew",
"copy",
"kentuchy",
"oljnmrfghb",
"powershell",
"sabey",
"sokolove law"
],
"references": [
"afraid.org | evergreen.afraid.org",
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com",
"https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1",
"https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1",
"Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/",
"Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net",
"KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI",
"https://api.strem.io/api/addonCollectionGet%",
"http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am",
"aohhpesayw.lawsonengineers.co.",
"Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru",
"gitea.neconsside.com \u2022 http://f7194.vip/login",
"2012647\tDropbox.com Offsite File Backup in Use",
"target.dropboxbusiness.com",
"consolefoundry.date \u2022 http://consolefoundry.date",
"http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Neshta",
"display_name": "Neshta",
"target": null
},
{
"id": "Backdoor:Win32/Fynloski.A",
"display_name": "Backdoor:Win32/Fynloski.A",
"target": "/malware/Backdoor:Win32/Fynloski.A"
},
{
"id": "Zegost",
"display_name": "Zegost",
"target": null
},
{
"id": "Worm:Win32/AutoRun.XXY!bit",
"display_name": "Worm:Win32/AutoRun.XXY!bit",
"target": "/malware/Worm:Win32/AutoRun.XXY!bit"
},
{
"id": "MalwareX-Gen",
"display_name": "MalwareX-Gen",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Worm:Win32/AutoRun.B",
"display_name": "Worm:Win32/AutoRun.B",
"target": "/malware/Worm:Win32/AutoRun.B"
},
{
"id": "Trojan:Win32/Pariham.A",
"display_name": "Trojan:Win32/Pariham.A",
"target": "/malware/Trojan:Win32/Pariham.A"
},
{
"id": "Kentuchy",
"display_name": "Kentuchy",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 483,
"hostname": 1397,
"URL": 2874,
"email": 2,
"FileHash-MD5": 369,
"FileHash-SHA1": 355,
"FileHash-SHA256": 1534,
"SSLCertFingerprint": 7
},
"indicator_count": 7021,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "nginx.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "nginx.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776637205.4310765
}