{ "type": "Domain", "indicator": "oftware.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/oftware.com", "alexa": "http://www.alexa.com/siteinfo/oftware.com", "indicator": "oftware.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4149145079, "indicator": "oftware.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "http://help.aiseesoft.jp/total-video-converter", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "http://help.aiseesoft.jp/fonelab/", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "http://test-firstmile.digitecgalaxus.ch", "http://help.aiseesoft.jp/blu-ray-player", "alohatube.xyz [BotNetwork]", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "remote.utorrent.com [remote router logins]", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "codewiki.google", "http://firstmile.digitecgalaxus.ch", "http://help.aiseesoft.jp/total-video-converter/", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "Alerts: injection_process_search protection_rx", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "https://action.aiseesoft.jp/itunes.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "js-cdn.music.apple.com \u2022 23.78.51.170", "23.216.147.64", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "aotx.alienvault.com (aotx.?)", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "www.phantomcameras.cn", "1.bing.com.cn", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://help.aiseesoft.jp/video-converter-ultimate/", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "Tulach.cc", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "facebooksunglassshop.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "podcasts.apple.com \u2022 23.34.32.21", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "dns.msftncsi.com", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "asp.net domain pointer", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "Contacted Google services", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "www.apple.com \u2022 23.34.32.199", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "http://tvm77.fashiongup.in/tracking/track-open", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "developer.x.com", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://podcasts.apple.com/us/podcast/lazarus" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Qakbot", "Eyestye", "Lockbit", "Dark", "Keylogger", "Worm:win32/mofksys.rnd!mtb", "Ransomexx", "Win.packed.eyestye-9754938-0", "Darkmoon", "Pws:win32/qqpass.ci", "Asyncrat", "Evilnum", "Eternalblue", "Polyransom", "Azorult", "Alf:heraklezeval:pua:win32/4shared", "Ransomware", "Qbot", "Win.trojan.agent-336074", "Backdoor.win32.shiz.ufj", "Parallax rat", "Agent tesla", "Autorun", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Wininicrypt", "Upatre", "Ursnif", "Pegasus", "Win.malware.unruy-6912804-0", "Trojan:win32/eyestye.t", "Malware packed", "Win32/socstealer!rfn", "Hacktool", "Maze", "Arid.viper_cnc", "Email-worm.win32.brontok.n", "Cobalt strike", "Amadey", "Wannacry", "Cassini", "Chaos", "Win.trojan.midia-4", "Emotet", "Quasar rat", "Njrat", "Tofsee", "Remcos rat" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69642a749490c0bf404aa8ac", "name": "Google Services - Malware Packed Google Branded Services", "description": "Contacted Google services | Service (1 of 3) || GoogleChromeElevationService | Mofksys \u2022 Unruy | Relationship: https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b | \n#affilliated #worm _#exploit #alternate_google #infection #spyware", "modified": "2026-02-10T22:01:54.041000", "created": "2026-01-11T22:55:48.308000", "tags": [ "write c", "write", "delete c", "ms windows", "pe32 executable", "globalc", "united", "worm", "malware", "defender", "united states", "google", "google account", "mtb ids", "cloudflare dns", "https domain", "tls sni", "medium priority", "yara detections", "alerts", "google play", "google api", "google chrome", "mofksys", "exploit", "process32nextw", "msie", "windows nt", "wow64", "slcc2", "media center", "search", "precreate read", "read c", "dock", "unknown", "suspicious", "alt google", "execution att", "lowfi", "mtb jan", "trojandropper", "passive dns", "backdoor", "win32upatre jan", "origin trial", "gmt cache", "443 ma2592000", "possible", "trojan", "title", "mtb dec", "ipv4 add", "state", "trojan", "dropper", "phishing", "ransom", "of colorado" ], "references": [ "accounts.google.com \u2022 apis.google.com clients2.google.com \u2022 clients2.googleusercontent.com", "142.251.9.95 \u2022 https://clients2.google.com/cr/report \u2022 accounts.google.com \u2022", "ogads-pa.clients6.google.com \u2022 optimizationguide-pa.googleapis.com \u2022 play.google.com", "update.googleapis.com \u2022 www.google.com \u2022 clientservices.googleapis.com", "Worm:Win32/Mofksys.RND!MTB | Yara Detections: SUSP_Imphash_Mar23_2", "IDS Detection: Observed Cloudflare DNS over HTTPS \u2022 Domain (cloudflare-dns .com in TLS SNI)", "Alerts: suspicious_iocontrol_codes infostealer_cookies persistence_autorun antisandbox_sleep", "Alerts: persistence_autorun_tasks polymorphic procmem_yara static_pe_anomaly antiav_detectfile", "Alerts: antiav_detectreg antivm_bochs_keys antivm_generic_disk infostealer_mail injection_write", "Alerts: suspicious_command_tools anomalous_deletefile mouse_movement_detect", "Alerts: dynamic_function_loading resumethread_remote_process stealth_hiddenreg", "Contacted Google services", "SERVICE NAME: SSDPSRV \u2022 Delete upnphost\tDelete \u2022 GoogleChromeElevationService", "https://otx.alienvault.com/indicator/file/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95", "codewiki.google", "Win.Malware.Unruy-6912804-0 IDS Detections: Win32/Unruy.C Activity 403 Forbidden", "Alerts: network_icmp persistence_autorun antivm_vmware_in_instruction", "Alerts: network_http antisandbox_sleep creates_exe dropper stealth_window", "Alerts: injection_process_search protection_rx", "IP\u2019s Contacted: 142.250.74.68 142.250.74.99 18.66.121.69 185.53.179.170 2.22.41.134 204.79.197.200", "IP\u2019s Contacted: 208.91.196.46 209.197.3.8 216.239.32.29 35.186.238.101", "Domains Contacted: www.microsoft.com www.bing.com www2.megawebdeals.com www.google.com", "Domains Contacted: ocsp.pki.goog www.download.windowsupdate.com ifdnzact.com", "Domains Contacted: d38psrni17bvxu.cloudfront.net www2.megawebfind.com www6.megawebfind.com", "PE Version Information : TJprojMain.exe", "Found in : https://otx.alienvault.com/pulse/69640c0afc9805a6fa2da07b", "IDS Detections Win32/Unruy.C Activity \u2022 403 Forbidden" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Unruy-6912804-0", "display_name": "Win.Malware.Unruy-6912804-0", "target": null }, { "id": "Win.Packed.Eyestye-9754938-0", "display_name": "Win.Packed.Eyestye-9754938-0", "target": null }, { "id": "Eyestye", "display_name": "Eyestye", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "ALF:HeraklezEval:PUA:Win32/4Shared", "display_name": "ALF:HeraklezEval:PUA:Win32/4Shared", "target": null }, { "id": "Cassini", "display_name": "Cassini", "target": null }, { "id": "DarkMoon", "display_name": "DarkMoon", "target": null }, { "id": "PolyRansom", "display_name": "PolyRansom", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1078.001", "name": "Default Accounts", "display_name": "T1078.001 - Default Accounts" }, { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1090.004", "name": "Domain Fronting", "display_name": "T1090.004 - Domain Fronting" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 165, "FileHash-SHA256": 867, "URL": 1461, "hostname": 429, "domain": 221, "SSLCertFingerprint": 1 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "oftware.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "oftware.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776700672.053437 }