{ "type": "Domain", "indicator": "octopusdeploy.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/octopusdeploy.com", "alexa": "http://www.alexa.com/siteinfo/octopusdeploy.com", "indicator": "octopusdeploy.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3228996939, "indicator": "octopusdeploy.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b92a27c47d4e28927364", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:26.110000", "created": "2026-03-12T13:01:30.067000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b9295603a6100edfa8c8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:25.387000", "created": "2026-03-12T13:01:29.284000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b927aa7f10e82639d204", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.872000", "created": "2026-03-12T13:01:27.872000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b927c086397130c5d114", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.275000", "created": "2026-03-12T13:01:27.275000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b926871746ed8a1bc324", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:26.440000", "created": "2026-03-12T13:01:26.440000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b925e85c948d4dd608cc", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:25.852000", "created": "2026-03-12T13:01:25.852000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8e974189d2c41f07ed8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:25.910000", "created": "2026-03-12T13:00:25.910000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8e74d2b3effd55f88c3", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:23.173000", "created": "2026-03-12T13:00:23.173000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8dfbf8426a7a1d0146d", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:15.427000", "created": "2026-03-12T13:00:15.427000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8d7123610591625b8fb", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:07.354000", "created": "2026-03-12T13:00:07.354000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8d61e3f64a8f1f169b6", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:06.214000", "created": "2026-03-12T13:00:06.214000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8d24eeb4200bdb1d702", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:02.096000", "created": "2026-03-12T13:00:02.096000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687992eceac6f12e9cebd65f", "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet", "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime", "modified": "2025-12-28T19:04:27.449000", "created": "2025-07-18T00:18:50.968000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": null, "export_count": 375, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "155 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a3afba4c6ae03cea4633e7", "name": "Endgame 4 | ThreatIntelligence | Pegasus | Graphite | Paragon | Mirai | Berbew [by privacynotacrime]", "description": "", "modified": "2025-11-20T00:56:28.210000", "created": "2025-08-18T22:56:58.617000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14786, "CIDR": 3, "FileHash-MD5": 2, "domain": 8084, "email": 1, "hostname": 9967, "FileHash-SHA256": 5018, "CVE": 1, "IPv4": 10 }, "indicator_count": 37872, "is_author": false, "is_subscribing": null, "subscriber_count": 156, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665ec0cfd110b0694c51fbe2", "name": "Eset - Dorkbot", "description": "Dorkbot a self-propagating program that can spread itself from one computer to another threatening to perform numerous f actions of a malicious hacker's choice on PC. Found on an updated windows machine. Hacker named machine, installed apple viewing software programs, partitioned 'zombie' machine. Network of compromised, sketchy remote transfer agents of a professional in the service industry. Serious impact on or companies impact on remote workers contracted by company in question due to the abrupt cessation of business of a recognized brand it's industry. Unfortunately, the documentation of this Eset programs behavior has been misplaced. From recall. this install identified and allowed threats, d. It was a weird see with the names eye experience. Incoming request/ Remote operators, disallowed many transactions and other basic use of software. Workers potentially working a database from individuals whose PII & PHI was leaked.", "modified": "2024-07-04T06:01:28.799000", "created": "2024-06-04T07:22:55.572000", "tags": [ "historical ssl", "referrer", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "csl computer", "gmbh dba", "contact phone", "domain status", "registrar url", "registrar whois", "contact email", "code", "united", "unknown", "aaaa", "as14061", "cname", "search", "emails", "dnssec", "showing", "win32", "title error", "passive dns", "open ports", "trojan", "body doctype", "html public", "w3cdtd html", "body", "dns replication", "domain", "lookups", "email", "name server", "slovensko", "tech contact", "valid", "admin contact", "a domains", "a li", "span h3", "header link", "option option", "united kingdom", "test", "april", "meta", "paris", "eset", "yara detections", "nod32", "amon", "internalname", "online payment", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "amz cf", "creation date", "record value", "expiration date", "name servers", "servers", "status", "next", "asnone united", "moved", "certificate", "ipv4", "urls", "files", "av detections", "ids detections", "alerts", "analysis date", "cf2a", "xaax04x00", "high", "dns reply", "noip domain", "et trojan", "createsuspended", "malware traffic", "dorkbot", "malware", "copy", "name verdict", "falcon sandbox", "windows nt", "appdata", "png image", "pattern match", "indicator", "ascii text", "rgba", "get collect", "vj98", "hybrid", "general", "local", "click", "strings", "path", "ms windows", "pe32", "intel", "microsoft asf", "pe32 executable", "database", "english", "installer", "template", "tue jun", "service", "crlf line", "url https", "http", "ip address", "related nids", "files location", "tip" ], "references": [ "bpp.eset.com", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "appleremotesupport.com | http://thickapple.net/index.php", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "https://appleid-verify.servecounterstrike.com/", "http://schoolgirl.uxxxporn.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": ", Win.Trojan.Agent-1286703", "display_name": ", Win.Trojan.Agent-1286703", "target": null }, { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Cosmu-1058", "display_name": "Win.Trojan.Cosmu-1058", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Finance", "Healthcare", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 758, "FileHash-SHA1": 478, "FileHash-SHA256": 2561, "URL": 8210, "domain": 2202, "hostname": 2760, "email": 22, "CVE": 3 }, "indicator_count": 16994, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "697 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "config-5.15.44-Re4son-v8+", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "https://tria.ge/240517-vqxezaaa33/behavioral1", "bpp.eset.com", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://tria.ge/240517-t9pc2ahb2t", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "https://urlscan.io/search/#ualberta.ca", "cmdline.txt", "config-5.15.44-Re4son-v8l+", "https://appleid-verify.servecounterstrike.com/", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "config.txt", "https://www.hudsonrock.com/search?domain=ualberta.ca", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://tria.ge/240521-q4s79agb25/static1", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "config-5.15.44-Re4son-v7+", "grub_background.sh", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "appleremotesupport.com | http://thickapple.net/index.php", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "theme.txt", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "README", "config-5.15.44-Re4son-v7l+", "http://schoolgirl.uxxxporn.com", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "AppRegistrationList.csv", "LICENCE.broadcom", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "COPYING.linux", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "All - EnterpriseAppsList.csv", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "config-5.15.44-Re4son+", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "Thor Scan: S-I9VvMTB6cZU", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others" ], "malware_families": [ "Pegasus for ios - s0289", "Paragon (pegasus variant)", "Win32:genmalicious-kag\\ [trj]", "Pegasus for android - mob-s0032", ", win.trojan.agent-1286703", "Trojan:win32/dorkbot.du", "#lowfi:siga:trojandownloader:msil/genmaldow", "Pegasus for mac", "Graphite (pegasus variant)", "Mirai (windows)", "#lowfi:hstr:win32/mediadownloader", "Trojan:win32/zombie.a", "#lowfitrojan:html/iframe", "Win.trojan.cosmu-1058", "Trojan:js/berbew", "Alf:backdoor:java/webshell", "Html smuggling", "Alf:backdoor:powershell/reverseshell", "Starfighter (javascript)", "Careto", "Backdoor:linux/mirai", "Pegasus rdp module for windows", "Xloader for ios - s0490", "#lowfi:exploit:java/cve-2012-0507", "Win32:malware-gen", "Skynet", "#hstr:hacktool:win32/remoteshell", "Zeroaccess - s0027", "Alf:html/phishing", "Trojandownloader:linux/mirai" ], "industries": [ "People", "Education", "Telecommunications", "Agriculture", "Civilians", "Healthcare", "Government", "Technology", "Transportation", "Civil", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "69ce1c7b60a3065cc75b7e23", "name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?", "description": "", "modified": "2026-04-21T05:29:42.247000", "created": "2026-04-02T07:36:27.829000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": "698f07428f6e35876e034e41", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f07428f6e35876e034e41", "name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026", "description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "modified": "2026-03-15T10:19:15.579000", "created": "2026-02-13T11:13:03.870000", "tags": [ "raspberry pi", "hdmi", "hdmi mode", "uncomment", "additional", "usb mass", "pi02", "pi zero", "zero", "enable drm", "program", "license", "free software", "foundation", "general public", "gnu general", "public license", "the program", "copyright", "sections", "june", "general", "april", "vice", "drivers", "analog", "digital", "video", "bus support", "media", "accelerometers", "capacitance", "resolver", "android", "flash", "monitoring", "codec", "loop", "light", "linear", "tools", "class", "speakup", "core support", "legacy", "kernel", "this software", "including", "but not", "limited to", "ltd all", "redistributions", "disclaimer", "is provided", "damage", "info", "params", "gpio", "gpio pin", "select", "digital volume", "load", "gpios", "compute module", "spi bus", "front", "clock", "speed", "tiny", "kali", "oled", "systemd", "digi", "miso", "screen", "show", "global property", "bootmenu", "label", "booting", "please", "javascript", "entity", "file list", "size first", "credits text", "readme text", "no meaningful", "url list", "status https", "domain list", "enom", "registrar", "ltd dba", "com laude", "ip address", "ip adresses", "U of A", "GoA", "Treaty 6", "Treaty 7", "Treaty 8", "AHS" ], "references": [ "cmdline.txt", "config.txt", "COPYING.linux", "config-5.15.44-Re4son-v7+", "config-5.15.44-Re4son-v7l+", "config-5.15.44-Re4son-v8l+", "config-5.15.44-Re4son+", "config-5.15.44-Re4son-v8+", "grub_background.sh", "LICENCE.broadcom", "README", "theme.txt", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations", "https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e", "https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark", "https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1050", "name": "New Service", "display_name": "T1050 - New Service" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Agriculture", "Finance", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 812, "URL": 2492, "hostname": 1171, "FileHash-SHA256": 2057, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 16, "email": 2, "CIDR": 118 }, "indicator_count": 6684, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b92a27c47d4e28927364", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:26.110000", "created": "2026-03-12T13:01:30.067000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b9295603a6100edfa8c8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:24:25.387000", "created": "2026-03-12T13:01:29.284000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b927aa7f10e82639d204", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.872000", "created": "2026-03-12T13:01:27.872000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b927c086397130c5d114", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:27.275000", "created": "2026-03-12T13:01:27.275000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b926871746ed8a1bc324", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:26.440000", "created": "2026-03-12T13:01:26.440000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b925e85c948d4dd608cc", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:01:25.852000", "created": "2026-03-12T13:01:25.852000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8e974189d2c41f07ed8", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:25.910000", "created": "2026-03-12T13:00:25.910000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2b8e74d2b3effd55f88c3", "name": "operation endgame clone by privacynotacrime (very detailed piece)", "description": "", "modified": "2026-03-12T13:00:23.173000", "created": "2026-03-12T13:00:23.173000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218783, "CIDR": 14, "FileHash-MD5": 1558, "domain": 171413, "email": 10, "hostname": 126790, "FileHash-SHA256": 135215, "CVE": 7, "IPv4": 5987, "FileHash-SHA1": 1386, "IPv6": 289 }, "indicator_count": 661452, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "octopusdeploy.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "octopusdeploy.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780354756.9401057 }