{
  "type": "Domain",
  "indicator": "onetag-sys.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/onetag-sys.com",
    "alexa": "http://www.alexa.com/siteinfo/onetag-sys.com",
    "indicator": "onetag-sys.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #1502",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain onetag-sys.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 315722448,
      "indicator": "onetag-sys.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 50,
      "pulses": [
        {
          "id": "6a10e8d0c46d08b820206d6c",
          "name": "Emotet - dating back to before 2019. CAPE Sandbox",
          "description": "[ Cuckoo is a computer program that runs on an operating system (KVM) and can be run on a desktop or a mobile device (also known as a virtual assistant)]",
          "modified": "2026-05-23T05:14:22.248000",
          "created": "2026-05-22T23:37:52.466000",
          "tags": [
            "default",
            "jjjj",
            "settingswpad",
            "dos mode",
            "payload",
            "file type",
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "emotet",
            "shutdown",
            "back"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/008a6413800ef811244f0807e0943df22ba724ed674c03bfc5b57d820c27a632_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779493221&Signature=K7tHlM4p%2FfG1TSV%2FfZASKdmBWp3Se3XBQN%2Fa14YDnlL0ZljOfWTPQ9t%2Bd2aP5K7YN8vKmT4RJJhl7HH4LqZQMp8GIbPe5r%2BM2C1L86LMrE41%2BkG%2Ff1kcZsSCFPfosyqdsDy8WxtnzsLYBOZXWqnqwDaIMQTY03ypckO20Z4rHEcTZV6YKBDggWJQaRNhggjm6jAVXSTzJY9dX0l5Ihm4Qn%2F1hmi80T4VkqsWvPH%2B5dGv"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 69,
            "FileHash-SHA1": 36,
            "FileHash-SHA256": 1530,
            "IPv4": 8385,
            "domain": 631,
            "URL": 160,
            "hostname": 6900,
            "CIDR": 7
          },
          "indicator_count": 17718,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "10 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d5f37d3917861c6b99884b",
          "name": "CAPE Sandbox RIP.exe BLOODBANK.exe",
          "description": "A Cuckoo executable, for MS Windows, runs at 12:12:57 on the morning of 11 November, 2024, and ends in an unauthorised binary that ends up in a box full of data.- rip.exe tied to a gov domain is a treat.",
          "modified": "2026-05-16T07:01:32.826000",
          "created": "2026-04-08T06:19:41.886000",
          "tags": [
            "shell folders",
            "cname",
            "ip address",
            "nothing",
            "registry keys",
            "cape sandbox",
            "file type",
            "file size",
            "sha256",
            "mwdb",
            "accept",
            "shutdown",
            "windows sandbox",
            "calls process",
            "nethandle",
            "net1510000",
            "fastly",
            "skyca3",
            "po box",
            "city",
            "san francisco",
            "stateprov",
            "postalcode",
            "orgtechhandle",
            "orgnochandle",
            "orgid",
            "orgabuseref",
            "orgname",
            "cidr",
            "text process",
            "user",
            "default",
            "xport",
            "use my",
            "gmt ifnonematch",
            "microsoft excel",
            "pe file",
            "https",
            "contains",
            "spawns",
            "reads",
            "aslr",
            "seterrormode",
            "window",
            "malicious",
            "next",
            "csv text",
            "ascii text",
            "process",
            "queries memory",
            "network info",
            "dropped info",
            "persistence",
            "javascript",
            "please",
            "strong",
            "toggle",
            "mitre att",
            "advapi32",
            "windows",
            "dynamicloader",
            "sspicli",
            "name",
            "pid parent",
            "first",
            "threads",
            "path",
            "pegasus",
            "crypt32",
            "virustotal",
            "enterprise",
            "service",
            "close",
            "performs dns",
            "urls",
            "found",
            "united",
            "jpeg image",
            "jfif",
            "json",
            "tls version",
            "mitre attack",
            "creates",
            "phishing",
            "clear filters",
            "thumbprint",
            "temp",
            "full path",
            "windir",
            "behavior",
            "selfdeleting",
            "bat file",
            "address",
            "port",
            "report",
            "system process",
            "downloads",
            "binary",
            "hxojc8o",
            "signatures",
            "success",
            "regopenkeyexw",
            "regopenkeyexa",
            "hkeycurrentuser",
            "hkeyclassesroot",
            "createfilew",
            "regcreatekeyexw",
            "regsetvalueexw",
            "genericread",
            "readfile",
            "desktop",
            "webview",
            "fail"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626394&Signature=mjMxHo8L7UrEZ%2B0mpGMaevi%2Fnyxg566NrZjoVPOa6T3Cbyv9SjUxWf%2BLTZqUG6wgBgPDMrC9WYvpluFNlA3a8CmS9FgO5Wk4ihVivuBtOPhisX8aQoky6AhLHqi%2FTU6pVryey1kfBt6MlRl0gEZ6OJtKADUb2hPUfxXN0b6zIDrBlBpDlzmi73JWdo%2BTl7HWhJzFk%2FDQy3DniCvgLRSPVSK0WPg%2BpvgzruUYB%2F5pkH20cP",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626418&Signature=TwvqChaO8lqc0vzwz%2BZ7W7IIwZZZt6%2FhJ4DzgyGjlwl%2Bev3Aj3iyAMtUxNhwGhTz10UGTbYuZcmLUPKLpQ81mgT%2B8axs57DfzVt1BoJTH5lWYK%2BOI8LDJGXD8tZ8DGKuNa6dHqqdQ9gDvuEpnhGfMmpJovXa%2B0drHScs%2BE%2FQKF%2BRTqOXjfSVxMdoqYnlB3zMc6AU2CYPv%2FE1mP06q5yCaRjgA0aIcnf7ADr9",
            "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626474&Signature=kfjlpWuwZbaZbbP6fMcuay73HaFSKrqF520LJELy0GSL34yjKdsQSvLU8g4sBtj69rWQb6rJwENSsxoLQizFVcBSn04iqFQqS6VlgbQsMMJd57JpVb9gcQPuRc5iP37IN5crnnQjwWgIDQAxcMFVgX8L2SW2Eji5xGKVeIoJ6MJFYKxoyfiZD3779nqt8YvoaK1E4DWe5%2F9TzZWks0%2BaP5dwYHpoPnvYsj4k0X61JFQChNE5cZcNNbUH8i",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626915&Signature=A8EIjrcllVER4J%2FPzV2FRPV1NC%2FPha6J1APjMga6WlTRSe%2By092MDDTg4tF9ILYLxQtuQgmgwx93nasQfll6ffrd12FvlAsin2zj4vtdTT4AcIXmxJcKO0d%2FoLnozrBzi1R36TlEknCbXkqQPX%2BdvF%2BwroU1F61f6IOtIfgIK2uxK0KIG5I41N7fQcNOUNIwHoCvfAlSb2OqY1V4ESvWxMJ4MjdBn%2F%2B%2FUAOfpOh%2B7c",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d4dd113c9924d71398d9db20e2fcf347cad29c3d3bdc9612a44dfd47c1971aa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627160&Signature=K5%2FGwGNRKy0XCvva8zcyKHnsarNPNRQXXQI%2FV%2B1Susn9nmU9j%2Fm1SKT0f3LpBrVV5dyaLLy%2FYMPBmGKun3XY4WEmEl0KQkg17reIGCcLSeFbgDwpUm2DyN3ENt5d%2BkePCG6FvM5jUx7Cpf1ZTyw0PYePphEx1shaRArarvvSWz1kosuQhe%2BZ8tBYqt1c35e7%2BjQrwmLeZ489ungWsKJvhuXHetKJVJVEhY%2FLb3%2FBgTDodLwx3l",
            "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627259&Signature=LB8UpSFAWpkptxq2TpSlVUjgaYsD8ZVxTie7HZDfh0FJ9h5o0dlAfn3fQ2KoL66TnUg2S0MIsEXMxl5O%2BL%2FFPweNRNyFyFK8M4aHPEHTZZlcAopz6ofdP7b0rYACYLl%2BH51rdDSCCDGVFB2AxZXaz54b748ZJBd0lCSxvueW2MVVLJcFl5w4hcNIIwnXuHCQD02rsYzffmjBIO6CC1hPulQwohf%2FTZKDK5iuOAhPoVWWswdroV2A7M6M6PUg9g",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627300&Signature=ZqM8a%2BUX0F1D8t51nlp1%2BcYFN0ozRLI92p85KFn1f3Aey19YDGw%2BAAEbxD1JMvi%2BsMRGGfYTPACg4h9DM0VFKT8yq4FOOqED%2FO17EAyZrz6YSyQcMMnozviy%2B%2FdpS0Sqd8sas9FdpgcUAS%2FzEEcqa%2FsQVtkpv2rp9BZLKqvbpquNXBlA9rnKzvbtNwEP7meNDc%2FXDspVqf%2Frb9bWY8uHq7hJl6pMWknVtV",
            "https://vtbehaviour.commondatastorage.googleapis.com/faa6f8935bf337bb6f98bfe73e3b74f6e785da6929775e6bacbbd20d90ecf2c3_SNDBOX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627494&Signature=lBb52t94Lck4SSu4FORagQFNGojj5%2Bi7JRPlb68HqacyPusyn33LTlV%2F72P5M52r2EZ8ylUROPiRnCRBg0ry%2B2D1ctl1uWtP%2F1HDdBpnbxxUtkcM97MGzmUbIfTSOAsXsbB3f4Y6ZOIM%2BLYzCo%2BxwRmun4K%2Bo8K3mYHMatcF3mBtKcBPnP7WM5%2FHTz3XqJGMH9TCDIfe7j%2F3SAnx7X0tt0BgUcwPe4OkmHkUutihMBfek2MBp%2B",
            "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627608&Signature=nc6gUdC0NeDtHUOIT6P0pC0i9EKDBHTO%2BMbcwHvgjPzFPqDFGMq%2Fei9aUhg8ub9H4poa985bQO4xz1xEEOmGhEihgwKvDZ5u0QETkzbQJLxzzm5g9t%2Fx4iBeBHToQjDXdMrSu0ML%2FYBep0l%2F%2BkYortodmtnjHYhAEYOOLSZn4gSAWaPoq5vxXF9gtsRojKf9RIk5VuzDXFGY6BGsDKn2tch7nTJ3SmYKodEv4iWyVn4jp5g%2B4",
            "https://vtbehaviour.commondatastorage.googleapis.com/0c5a10f10eb29b8251a5dfe15fa74f7e25c281b4f9be7c87839a9ae3d34dfe6d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627783&Signature=FHIZFXnHZsAaWvZbG2O1vXTFfRz6BqTP8ikzyyXMpZ4VG6WEVnK3yHhhrnLfoLQqUCUgXvWOb1ThHRM6WXJGEx4jLnKM%2Fp6YkHmVEj1nFXBd%2BQ0IPGVwZRJfZcttoBFwmLwJ%2BTXEzUvqX%2FTXDGgeIKFac4IFl%2FGXPEmxi43CSXwZsWuD5CLfaHxEu65DvnuniHqPovnhBOp%2B2rEM2jSLgHuouV%2B9LiZwjgsSXeUVh1BFN5XrPPojB0Lk",
            "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628069&Signature=Tqx0WDIqoieH9yCo18tkPUdcYvTU0l0vEGnEzncxScNgePm2%2Bm5dMzcVkPb2dN4j43pL0c6xFpyqUmgcAaV4yJd1bWnukU%2FSoTPxrfzwEEPlXeMoapx9eeELYqF6WZWyor0m%2F4qv%2FuaYFkLWO2D8iOkqIiaNQBvu6nVuNBM3I%2FkrnXhWRxt3C8KQlAF%2Fo3ft05L0QBoJH6mQquOx2C777xrO6tjr31CGKjIMIAih66ud8Oskb57I%2B6zt",
            "https://vtbehaviour.commondatastorage.googleapis.com/aa2691bc8ec9abf5359396a356551d1e2de12c9c5035c259650650ced6607c6f_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628175&Signature=C%2Bm0zPP%2FHfqcIuof%2F2O%2F0UbWPaY37tDrVB%2FZMr2M9H%2BjPTiynLMHNyn5vNT97ndboi7U21mT93t30I4UMIqdICdXtc%2BlGG7rYgE2ruFbI6U%2BBxHCmlKEUYh1FZY%2BPsskjCqojS2K4I1w%2BfsLyUwkpsGHzh92WF%2B5h5FbNY5PySi2Fd3B4ns1okQyrU6i%2F0PdPGs%2BjnHvLfdB%2Bx%2FOjTJPOcKqkwk",
            "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628363&Signature=dlMT8ox9JTkziQZLJ6FL%2BRBc%2Fz%2BeAIvgi4qr%2FO3pMT9vAKLgbGFgQum2bJ74s07XpftMHPBj1fCgNY5xK7EIouHXhmpyiD%2B5zsfcKaNckOkNoIo6A9%2FfM6g42hN5djOg3pDclOqwj0ECuBWrtZXqZcrc5nv%2BU51qwqs6AAkIaiZWOX341r7RHPc49dpGRK0DG1XQDRGxacXm5erHEQmAAO8I8yR%2FzKT%2BZ6EJK6xC99uC",
            "https://vtbehaviour.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628967&Signature=cw9IN04sKdFEDdQTLeqNWDt35Spbg0yI2vZFSrsk%2FJ6%2BD%2BRC5pt7QZKTQlutBh8zpYG9b4%2F7TjCFxf5jo1s6uYpiVA8s%2F5c5ZVy2Ia387UGrip6kYJ9s2cfp%2BgQ1o2RHEQRhukeRqR6uQpb87IVhWb1VjeABoOqT%2Buy%2BeXUckwOcInk8tcs9wCI1xhRe3raMJ1EC1gIdXCGzMqLU%2F874cclP6LWAUiQ08FPQe8VZtob",
            "https://vtbehaviour.commondatastorage.googleapis.com/012f268838dbc4f0877ea47f272bcd5acdc15ac4584c3d3cddeae2f5107d09de_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629156&Signature=qIGYvmHwkDg5a1aWpPn%2FCFierOaHWS9Gyvi4Owjd4sJ7YytEl%2F5qxIIpo84v%2F7J%2BvxGYG9PrPDBHbH5jiJc2VOMkKroiRdzapAh%2FFwXVnVhn%2FCJ1eu6xMH2KJ6bs578zBbSbt6QJ2KPBU2E7RJQ5o%2FxLV93YjttPgspSTvjqiC1vCSwx78AdV7nt4xmxTCpqZB3OJuH%2ByROH7tWED9Qzq%2BVgwf7AmK9UrFuIKnmo07prAMKfo1k1",
            "https://vtcuckoo.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629192&Signature=gnfHVeS3e3cryOoChL6czgBUI9mEJwFk8OZ22bAN4U7V1r1yCjBq7i3y7Sarv1O34zp2Yabguk5BQI4cgnZ64Dj1uLdrx9dUaYo%2FzBoITjzCiJ7djJCvB0alIiIw%2Bok%2BqRGGtIFbrfS61QNeDiXmFpeD1d%2F1lGe8ZoBd0nLLqtP5xdbRALcJbrvbCeln9nFuu199svtMraGxafiWFWiEC4GRx1BmdMZYVqC%2B%2FukhirOXs7MyPd6i1%2FsSjSWfGa8ss4pgIMD"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 3,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 94,
            "FileHash-SHA1": 70,
            "FileHash-SHA256": 294,
            "domain": 50,
            "hostname": 410,
            "URL": 281,
            "CIDR": 1,
            "email": 3,
            "IPv4": 2
          },
          "indicator_count": 1205,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "17 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d5f37c65fbf136884dae98",
          "name": "CAPE Sandbox RIP.exe BLOODBANK.exe",
          "description": "A Cuckoo executable, for MS Windows, runs at 12:12:57 on the morning of 11 November, 2024, and ends in an unauthorised binary that ends up in a box full of data.- rip.exe tied to a gov domain is a treat.",
          "modified": "2026-05-08T06:44:52.553000",
          "created": "2026-04-08T06:19:40.539000",
          "tags": [
            "shell folders",
            "cname",
            "ip address",
            "nothing",
            "registry keys",
            "cape sandbox",
            "file type",
            "file size",
            "sha256",
            "mwdb",
            "accept",
            "shutdown",
            "windows sandbox",
            "calls process",
            "nethandle",
            "net1510000",
            "fastly",
            "skyca3",
            "po box",
            "city",
            "san francisco",
            "stateprov",
            "postalcode",
            "orgtechhandle",
            "orgnochandle",
            "orgid",
            "orgabuseref",
            "orgname",
            "cidr",
            "text process",
            "user",
            "default",
            "xport",
            "use my",
            "gmt ifnonematch",
            "microsoft excel",
            "pe file",
            "https",
            "contains",
            "spawns",
            "reads",
            "aslr",
            "seterrormode",
            "window",
            "malicious",
            "next",
            "csv text",
            "ascii text",
            "process",
            "queries memory",
            "network info",
            "dropped info",
            "persistence",
            "javascript",
            "please",
            "strong",
            "toggle",
            "mitre att",
            "advapi32",
            "windows",
            "dynamicloader",
            "sspicli",
            "name",
            "pid parent",
            "first",
            "threads",
            "path",
            "pegasus",
            "crypt32",
            "virustotal",
            "enterprise",
            "service",
            "close",
            "performs dns",
            "urls",
            "found",
            "united",
            "jpeg image",
            "jfif",
            "json",
            "tls version",
            "mitre attack",
            "creates",
            "phishing",
            "clear filters",
            "thumbprint",
            "temp",
            "full path",
            "windir",
            "behavior",
            "selfdeleting",
            "bat file",
            "address",
            "port",
            "report",
            "system process",
            "downloads",
            "binary",
            "hxojc8o",
            "signatures",
            "success",
            "regopenkeyexw",
            "regopenkeyexa",
            "hkeycurrentuser",
            "hkeyclassesroot",
            "createfilew",
            "regcreatekeyexw",
            "regsetvalueexw",
            "genericread",
            "readfile",
            "desktop",
            "webview",
            "fail"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626394&Signature=mjMxHo8L7UrEZ%2B0mpGMaevi%2Fnyxg566NrZjoVPOa6T3Cbyv9SjUxWf%2BLTZqUG6wgBgPDMrC9WYvpluFNlA3a8CmS9FgO5Wk4ihVivuBtOPhisX8aQoky6AhLHqi%2FTU6pVryey1kfBt6MlRl0gEZ6OJtKADUb2hPUfxXN0b6zIDrBlBpDlzmi73JWdo%2BTl7HWhJzFk%2FDQy3DniCvgLRSPVSK0WPg%2BpvgzruUYB%2F5pkH20cP",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626418&Signature=TwvqChaO8lqc0vzwz%2BZ7W7IIwZZZt6%2FhJ4DzgyGjlwl%2Bev3Aj3iyAMtUxNhwGhTz10UGTbYuZcmLUPKLpQ81mgT%2B8axs57DfzVt1BoJTH5lWYK%2BOI8LDJGXD8tZ8DGKuNa6dHqqdQ9gDvuEpnhGfMmpJovXa%2B0drHScs%2BE%2FQKF%2BRTqOXjfSVxMdoqYnlB3zMc6AU2CYPv%2FE1mP06q5yCaRjgA0aIcnf7ADr9",
            "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626474&Signature=kfjlpWuwZbaZbbP6fMcuay73HaFSKrqF520LJELy0GSL34yjKdsQSvLU8g4sBtj69rWQb6rJwENSsxoLQizFVcBSn04iqFQqS6VlgbQsMMJd57JpVb9gcQPuRc5iP37IN5crnnQjwWgIDQAxcMFVgX8L2SW2Eji5xGKVeIoJ6MJFYKxoyfiZD3779nqt8YvoaK1E4DWe5%2F9TzZWks0%2BaP5dwYHpoPnvYsj4k0X61JFQChNE5cZcNNbUH8i",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626915&Signature=A8EIjrcllVER4J%2FPzV2FRPV1NC%2FPha6J1APjMga6WlTRSe%2By092MDDTg4tF9ILYLxQtuQgmgwx93nasQfll6ffrd12FvlAsin2zj4vtdTT4AcIXmxJcKO0d%2FoLnozrBzi1R36TlEknCbXkqQPX%2BdvF%2BwroU1F61f6IOtIfgIK2uxK0KIG5I41N7fQcNOUNIwHoCvfAlSb2OqY1V4ESvWxMJ4MjdBn%2F%2B%2FUAOfpOh%2B7c",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d4dd113c9924d71398d9db20e2fcf347cad29c3d3bdc9612a44dfd47c1971aa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627160&Signature=K5%2FGwGNRKy0XCvva8zcyKHnsarNPNRQXXQI%2FV%2B1Susn9nmU9j%2Fm1SKT0f3LpBrVV5dyaLLy%2FYMPBmGKun3XY4WEmEl0KQkg17reIGCcLSeFbgDwpUm2DyN3ENt5d%2BkePCG6FvM5jUx7Cpf1ZTyw0PYePphEx1shaRArarvvSWz1kosuQhe%2BZ8tBYqt1c35e7%2BjQrwmLeZ489ungWsKJvhuXHetKJVJVEhY%2FLb3%2FBgTDodLwx3l",
            "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627259&Signature=LB8UpSFAWpkptxq2TpSlVUjgaYsD8ZVxTie7HZDfh0FJ9h5o0dlAfn3fQ2KoL66TnUg2S0MIsEXMxl5O%2BL%2FFPweNRNyFyFK8M4aHPEHTZZlcAopz6ofdP7b0rYACYLl%2BH51rdDSCCDGVFB2AxZXaz54b748ZJBd0lCSxvueW2MVVLJcFl5w4hcNIIwnXuHCQD02rsYzffmjBIO6CC1hPulQwohf%2FTZKDK5iuOAhPoVWWswdroV2A7M6M6PUg9g",
            "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627300&Signature=ZqM8a%2BUX0F1D8t51nlp1%2BcYFN0ozRLI92p85KFn1f3Aey19YDGw%2BAAEbxD1JMvi%2BsMRGGfYTPACg4h9DM0VFKT8yq4FOOqED%2FO17EAyZrz6YSyQcMMnozviy%2B%2FdpS0Sqd8sas9FdpgcUAS%2FzEEcqa%2FsQVtkpv2rp9BZLKqvbpquNXBlA9rnKzvbtNwEP7meNDc%2FXDspVqf%2Frb9bWY8uHq7hJl6pMWknVtV",
            "https://vtbehaviour.commondatastorage.googleapis.com/faa6f8935bf337bb6f98bfe73e3b74f6e785da6929775e6bacbbd20d90ecf2c3_SNDBOX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627494&Signature=lBb52t94Lck4SSu4FORagQFNGojj5%2Bi7JRPlb68HqacyPusyn33LTlV%2F72P5M52r2EZ8ylUROPiRnCRBg0ry%2B2D1ctl1uWtP%2F1HDdBpnbxxUtkcM97MGzmUbIfTSOAsXsbB3f4Y6ZOIM%2BLYzCo%2BxwRmun4K%2Bo8K3mYHMatcF3mBtKcBPnP7WM5%2FHTz3XqJGMH9TCDIfe7j%2F3SAnx7X0tt0BgUcwPe4OkmHkUutihMBfek2MBp%2B",
            "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627608&Signature=nc6gUdC0NeDtHUOIT6P0pC0i9EKDBHTO%2BMbcwHvgjPzFPqDFGMq%2Fei9aUhg8ub9H4poa985bQO4xz1xEEOmGhEihgwKvDZ5u0QETkzbQJLxzzm5g9t%2Fx4iBeBHToQjDXdMrSu0ML%2FYBep0l%2F%2BkYortodmtnjHYhAEYOOLSZn4gSAWaPoq5vxXF9gtsRojKf9RIk5VuzDXFGY6BGsDKn2tch7nTJ3SmYKodEv4iWyVn4jp5g%2B4",
            "https://vtbehaviour.commondatastorage.googleapis.com/0c5a10f10eb29b8251a5dfe15fa74f7e25c281b4f9be7c87839a9ae3d34dfe6d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627783&Signature=FHIZFXnHZsAaWvZbG2O1vXTFfRz6BqTP8ikzyyXMpZ4VG6WEVnK3yHhhrnLfoLQqUCUgXvWOb1ThHRM6WXJGEx4jLnKM%2Fp6YkHmVEj1nFXBd%2BQ0IPGVwZRJfZcttoBFwmLwJ%2BTXEzUvqX%2FTXDGgeIKFac4IFl%2FGXPEmxi43CSXwZsWuD5CLfaHxEu65DvnuniHqPovnhBOp%2B2rEM2jSLgHuouV%2B9LiZwjgsSXeUVh1BFN5XrPPojB0Lk",
            "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628069&Signature=Tqx0WDIqoieH9yCo18tkPUdcYvTU0l0vEGnEzncxScNgePm2%2Bm5dMzcVkPb2dN4j43pL0c6xFpyqUmgcAaV4yJd1bWnukU%2FSoTPxrfzwEEPlXeMoapx9eeELYqF6WZWyor0m%2F4qv%2FuaYFkLWO2D8iOkqIiaNQBvu6nVuNBM3I%2FkrnXhWRxt3C8KQlAF%2Fo3ft05L0QBoJH6mQquOx2C777xrO6tjr31CGKjIMIAih66ud8Oskb57I%2B6zt",
            "https://vtbehaviour.commondatastorage.googleapis.com/aa2691bc8ec9abf5359396a356551d1e2de12c9c5035c259650650ced6607c6f_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628175&Signature=C%2Bm0zPP%2FHfqcIuof%2F2O%2F0UbWPaY37tDrVB%2FZMr2M9H%2BjPTiynLMHNyn5vNT97ndboi7U21mT93t30I4UMIqdICdXtc%2BlGG7rYgE2ruFbI6U%2BBxHCmlKEUYh1FZY%2BPsskjCqojS2K4I1w%2BfsLyUwkpsGHzh92WF%2B5h5FbNY5PySi2Fd3B4ns1okQyrU6i%2F0PdPGs%2BjnHvLfdB%2Bx%2FOjTJPOcKqkwk",
            "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628363&Signature=dlMT8ox9JTkziQZLJ6FL%2BRBc%2Fz%2BeAIvgi4qr%2FO3pMT9vAKLgbGFgQum2bJ74s07XpftMHPBj1fCgNY5xK7EIouHXhmpyiD%2B5zsfcKaNckOkNoIo6A9%2FfM6g42hN5djOg3pDclOqwj0ECuBWrtZXqZcrc5nv%2BU51qwqs6AAkIaiZWOX341r7RHPc49dpGRK0DG1XQDRGxacXm5erHEQmAAO8I8yR%2FzKT%2BZ6EJK6xC99uC",
            "https://vtbehaviour.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628967&Signature=cw9IN04sKdFEDdQTLeqNWDt35Spbg0yI2vZFSrsk%2FJ6%2BD%2BRC5pt7QZKTQlutBh8zpYG9b4%2F7TjCFxf5jo1s6uYpiVA8s%2F5c5ZVy2Ia387UGrip6kYJ9s2cfp%2BgQ1o2RHEQRhukeRqR6uQpb87IVhWb1VjeABoOqT%2Buy%2BeXUckwOcInk8tcs9wCI1xhRe3raMJ1EC1gIdXCGzMqLU%2F874cclP6LWAUiQ08FPQe8VZtob",
            "https://vtbehaviour.commondatastorage.googleapis.com/012f268838dbc4f0877ea47f272bcd5acdc15ac4584c3d3cddeae2f5107d09de_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629156&Signature=qIGYvmHwkDg5a1aWpPn%2FCFierOaHWS9Gyvi4Owjd4sJ7YytEl%2F5qxIIpo84v%2F7J%2BvxGYG9PrPDBHbH5jiJc2VOMkKroiRdzapAh%2FFwXVnVhn%2FCJ1eu6xMH2KJ6bs578zBbSbt6QJ2KPBU2E7RJQ5o%2FxLV93YjttPgspSTvjqiC1vCSwx78AdV7nt4xmxTCpqZB3OJuH%2ByROH7tWED9Qzq%2BVgwf7AmK9UrFuIKnmo07prAMKfo1k1",
            "https://vtcuckoo.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629192&Signature=gnfHVeS3e3cryOoChL6czgBUI9mEJwFk8OZ22bAN4U7V1r1yCjBq7i3y7Sarv1O34zp2Yabguk5BQI4cgnZ64Dj1uLdrx9dUaYo%2FzBoITjzCiJ7djJCvB0alIiIw%2Bok%2BqRGGtIFbrfS61QNeDiXmFpeD1d%2F1lGe8ZoBd0nLLqtP5xdbRALcJbrvbCeln9nFuu199svtMraGxafiWFWiEC4GRx1BmdMZYVqC%2B%2FukhirOXs7MyPd6i1%2FsSjSWfGa8ss4pgIMD"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 164,
            "FileHash-SHA1": 161,
            "FileHash-SHA256": 463,
            "domain": 56,
            "hostname": 396,
            "URL": 456,
            "CIDR": 1,
            "email": 7
          },
          "indicator_count": 1704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "25 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69ca5d583057aaefed16789a",
          "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
          "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
          "modified": "2026-04-29T11:26:13.615000",
          "created": "2026-03-30T11:24:08.053000",
          "tags": [
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file type",
            "default",
            "sha256",
            "sha1",
            "data",
            "info",
            "accept",
            "win64",
            "damage",
            "openssl",
            "shutdown",
            "direct",
            "explorer",
            "title",
            "payload",
            "rdap",
            "ip version",
            "address range",
            "cidr",
            "network name",
            "allocation type",
            "whois server",
            "entity sg679",
            "handle",
            "stealc config",
            "cncs http"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 351,
            "URL": 392,
            "FileHash-MD5": 149,
            "FileHash-SHA1": 168,
            "FileHash-SHA256": 197,
            "email": 12,
            "hostname": 68,
            "CIDR": 4
          },
          "indicator_count": 1341,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 70,
          "modified_text": "34 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "695089cbedad5c86f39b1363",
          "name": "Tracking Domains 03.03.26 (Updated Test)",
          "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.",
          "modified": "2026-04-05T06:35:43.679000",
          "created": "2025-12-28T01:37:15.993000",
          "tags": [
            "privacy badger",
            "sites general",
            "settings widget",
            "domains manage",
            "data privacy",
            "badger",
            "hide"
          ],
          "references": [
            "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
            "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
            "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
            "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
            "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
            "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Netherlands"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 50404,
            "hostname": 10879,
            "URL": 715,
            "FileHash-MD5": 1
          },
          "indicator_count": 61999,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 132,
          "modified_text": "58 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b92a27c47d4e28927364",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:26.110000",
          "created": "2026-03-12T13:01:30.067000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 75,
          "modified_text": "82 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b9295603a6100edfa8c8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:25.387000",
          "created": "2026-03-12T13:01:29.284000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 71,
          "modified_text": "82 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927aa7f10e82639d204",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.872000",
          "created": "2026-03-12T13:01:27.872000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927c086397130c5d114",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.275000",
          "created": "2026-03-12T13:01:27.275000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b926871746ed8a1bc324",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:26.440000",
          "created": "2026-03-12T13:01:26.440000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b925e85c948d4dd608cc",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:25.852000",
          "created": "2026-03-12T13:01:25.852000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e974189d2c41f07ed8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:25.910000",
          "created": "2026-03-12T13:00:25.910000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e74d2b3effd55f88c3",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:23.173000",
          "created": "2026-03-12T13:00:23.173000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8dfbf8426a7a1d0146d",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:15.427000",
          "created": "2026-03-12T13:00:15.427000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d7123610591625b8fb",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:07.354000",
          "created": "2026-03-12T13:00:07.354000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d61e3f64a8f1f169b6",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:06.214000",
          "created": "2026-03-12T13:00:06.214000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d24eeb4200bdb1d702",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:02.096000",
          "created": "2026-03-12T13:00:02.096000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "693adba47b2cce69440c726a",
          "name": "TESLA HACKERS | Login Google",
          "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry,  kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly.  Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI.  This feels so dangerous.",
          "modified": "2026-01-10T13:01:53.320000",
          "created": "2025-12-11T14:56:36.874000",
          "tags": [
            "tlsv1",
            "united",
            "oamazon",
            "cnamazon rsa",
            "jfif",
            "ogoogle trust",
            "cngts ca",
            "exif standard",
            "tiff image",
            "xresolution74",
            "execution",
            "dock",
            "write",
            "persistence",
            "malware",
            "encrypt",
            "ca https",
            "no expiration",
            "iocs",
            "url https",
            "enter source",
            "url or",
            "text drag",
            "drop or",
            "browse to",
            "select file",
            "ipv4",
            "url http",
            "type indicator",
            "sec ch",
            "ch ua",
            "unknown",
            "ua full",
            "ua platform",
            "as44273 host",
            "ua bitness",
            "msie",
            "chrome",
            "backdoor",
            "trojandropper",
            "passive dns",
            "forbidden",
            "body",
            "twitter",
            "trojan",
            "cookie",
            "title",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "read c",
            "port",
            "destination",
            "local",
            "moved",
            "integration all",
            "urls",
            "files",
            "reverse dns",
            "location united",
            "america flag",
            "name servers",
            "hostname",
            "unique",
            "expires wed",
            "gmt date",
            "server",
            "date wed",
            "connection",
            "use linux",
            "cybersecurity",
            "http",
            "ip address",
            "files location",
            "flag united",
            "win32",
            "urls show",
            "date checked",
            "url hostname",
            "server response",
            "virtool",
            "date hash",
            "avast avg",
            "heur",
            "lowfi",
            "k sep",
            "contacted",
            "related tags",
            "none file",
            "type",
            "present dec",
            "present nov",
            "mtb mar",
            "aaaa",
            "hacktool",
            "indicator role",
            "domain",
            "url add",
            "as20940",
            "as16625 akamai",
            "present mar",
            "present may",
            "as54113",
            "present apr",
            "ipv4 add",
            "url analysis",
            "servers",
            "emails",
            "hostname add",
            "present aug",
            "present sep",
            "present oct",
            "status",
            "present jul",
            "data upload",
            "extraction",
            "as208722 yandex",
            "russia unknown",
            "a domains",
            "expirestue",
            "path",
            "certificate",
            "medium",
            "alerts show",
            "ck technique",
            "technique id",
            "installs",
            "pe32",
            "intel",
            "ms windows",
            "high",
            "icmp traffic",
            "dns query",
            "packing t1045",
            "t1045",
            "screenshots",
            "file type",
            "date february",
            "pm size",
            "imphash pehash",
            "guard",
            "syst",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "adversaries",
            "command",
            "initial access",
            "spawns",
            "t1590 gather",
            "flag",
            "united kingdom",
            "command decode",
            "belgium belgium",
            "federation",
            "france france",
            "ireland ireland",
            "canada canada",
            "suricata ipv4",
            "click",
            "tesla hackers",
            "elon musk",
            "show",
            "richhash",
            "external",
            "virustotal api",
            "comments",
            "vendor finding",
            "notes clamav",
            "ms defender",
            "files matching",
            "copy",
            "found",
            "ssl certificate",
            "windir",
            "openurl c",
            "prefetch2",
            "analysis",
            "tor analysis",
            "dns requests",
            "domain address",
            "yara rule",
            "reads",
            "number",
            "sample analysis",
            "hide samples",
            "entries",
            "samples show",
            "next yara",
            "detections name",
            "devcv5 ujrb",
            "ujrb",
            "uja1t",
            "show technique",
            "mitre att",
            "ck matrix",
            "ascii text",
            "pattern match",
            "sha1",
            "network traffic",
            "show process",
            "general"
          ],
          "references": [
            "https://www.teslarati.com/spacex",
            "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57",
            "https://cdn.teslarati.com \u2022  https://forums.teslarati.com/",
            "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/",
            "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/",
            "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/",
            "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/",
            "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/",
            "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/",
            "https://www.teslarati.com/",
            "https://www.teslarati.com/spacex",
            "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/",
            "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/",
            "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/",
            "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/",
            "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx",
            "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\",
            "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022  https://pickyhot.disqus.com/tsara-brashears",
            "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm",
            "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected:  Redirect Types: Delayed Redirect  Redirects to: /doodles/  Suspicious",
            "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189",
            "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |",
            "Source :  Binary File  ATT&CK ID T1566.002",
            "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .",
            "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes",
            "Detected Non-Google domain serving Google homepage details",
            "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers",
            "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.",
            "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.",
            "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True",
            "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true",
            "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Japan"
          ],
          "malware_families": [
            {
              "id": "Worm:Win32/Mofksys.RND!MTB",
              "display_name": "Worm:Win32/Mofksys.RND!MTB",
              "target": "/malware/Worm:Win32/Mofksys.RND!MTB"
            },
            {
              "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB",
              "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB",
              "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB"
            },
            {
              "id": "Trojan:Win32/Zombie.A",
              "display_name": "Trojan:Win32/Zombie.A",
              "target": "/malware/Trojan:Win32/Zombie.A"
            },
            {
              "id": "Win.Malware.Jaik-9940406-0",
              "display_name": "Win.Malware.Jaik-9940406-0",
              "target": null
            },
            {
              "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn",
              "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn",
              "target": null
            },
            {
              "id": "Win.Malware.Snojan-6775202-0",
              "display_name": "Win.Malware.Snojan-6775202-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1566.002",
              "name": "Spearphishing Link",
              "display_name": "T1566.002 - Spearphishing Link"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            },
            {
              "id": "T1207",
              "name": "Rogue Domain Controller",
              "display_name": "T1207 - Rogue Domain Controller"
            },
            {
              "id": "T1136.002",
              "name": "Domain Account",
              "display_name": "T1136.002 - Domain Account"
            },
            {
              "id": "T1003.005",
              "name": "Cached Domain Credentials",
              "display_name": "T1003.005 - Cached Domain Credentials"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1568.002",
              "name": "Domain Generation Algorithms",
              "display_name": "T1568.002 - Domain Generation Algorithms"
            },
            {
              "id": "T1204.002",
              "name": "Malicious File",
              "display_name": "T1204.002 - Malicious File"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 13,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 5894,
            "FileHash-MD5": 458,
            "FileHash-SHA1": 305,
            "FileHash-SHA256": 2481,
            "SSLCertFingerprint": 26,
            "hostname": 2406,
            "domain": 966,
            "email": 16,
            "CVE": 1
          },
          "indicator_count": 12553,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "143 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "687992eceac6f12e9cebd65f",
          "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
          "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
          "modified": "2025-12-28T19:04:27.449000",
          "created": "2025-07-18T00:18:50.968000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 375,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 7,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "privacynotacrime",
            "id": "349346",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 124,
          "modified_text": "156 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64ed117e2308a042e50e1e9e",
          "name": "Investigation of Distribution Vectors and Threat Network Infrastructure",
          "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.",
          "modified": "2025-11-23T23:20:07.571000",
          "created": "2023-08-28T21:28:30.294000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary",
            "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac",
            "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a",
            "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d",
            "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary",
            "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327",
            "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042",
            "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984",
            "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5",
            "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53",
            "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7",
            "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8",
            "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500",
            "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary",
            "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9",
            "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs",
            "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark",
            "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602",
            "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
            "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
            "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b",
            "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7",
            "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c",
            "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188",
            "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f",
            "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark",
            "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light",
            "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark",
            "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs",
            "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076",
            "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs",
            "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c",
            "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs",
            "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark",
            "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f",
            "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs",
            "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark",
            "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark",
            "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark",
            "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark",
            "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark",
            "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886",
            "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs",
            "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs",
            "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs",
            "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 111,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 236,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1421,
            "URL": 9580,
            "CIDR": 30,
            "domain": 10205,
            "email": 12,
            "hostname": 517612,
            "IPv4": 11,
            "CVE": 62
          },
          "indicator_count": 539308,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 146,
          "modified_text": "191 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68a3afba4c6ae03cea4633e7",
          "name": "Endgame 4 | ThreatIntelligence | Pegasus | Graphite | Paragon | Mirai | Berbew  [by privacynotacrime]",
          "description": "",
          "modified": "2025-11-20T00:56:28.210000",
          "created": "2025-08-18T22:56:58.617000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 89,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 14786,
            "CIDR": 3,
            "FileHash-MD5": 2,
            "domain": 8084,
            "email": 1,
            "hostname": 9967,
            "FileHash-SHA256": 5018,
            "CVE": 1,
            "IPv4": 10
          },
          "indicator_count": 37872,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 156,
          "modified_text": "195 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "691b61e16cea7624a6606a69",
          "name": "For Later",
          "description": "***",
          "modified": "2025-11-17T18:46:19.094000",
          "created": "2025-11-17T17:56:49.875000",
          "tags": [
            "wormhole",
            "want",
            "sign",
            "submit send",
            "copy",
            "share show",
            "report delete",
            "faq roadmap",
            "security legal",
            "twitter discord",
            "protected"
          ],
          "references": [
            "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 72127,
            "hostname": 16700,
            "URL": 50
          },
          "indicator_count": 88877,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 131,
          "modified_text": "197 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68c62316b24b23e6d4c579ef",
          "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
          "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago,  claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
          "modified": "2025-10-14T01:04:58.605000",
          "created": "2025-09-14T02:06:14.853000",
          "tags": [
            "denver",
            "jeffrey reimer",
            "star rating",
            "appointment",
            "post",
            "response are",
            "listened",
            "wait",
            "reimer",
            "healthgrades",
            "reply flag",
            "doctors",
            "find",
            "jeff",
            "back",
            "aurora",
            "leave",
            "crying",
            "tips",
            "tags na",
            "utc scorecard",
            "research beacon",
            "utc yahoo",
            "dot tags",
            "united",
            "mozilla",
            "write c",
            "nsisinetc",
            "undetermined",
            "medium",
            "intel",
            "ms windows",
            "write",
            "trojan",
            "defender",
            "delphi",
            "win32",
            "malware",
            "win64",
            "local",
            "next",
            "code overlap",
            "dynamicloader",
            "as15169",
            "brazil as28604",
            "brazil as396982",
            "upatre",
            "passive dns",
            "title error",
            "ipv4 add",
            "pulse pulses",
            "urls",
            "files",
            "reverse dns",
            "location united",
            "america flag",
            "body",
            "script script",
            "powder sdk",
            "a domains",
            "title",
            "script",
            "certificate",
            "hostname add",
            "pulse submit",
            "meta",
            "learn",
            "command",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "spawns",
            "evasion att",
            "t1480 execution",
            "signing defense",
            "flag",
            "whois privacy",
            "service name",
            "server",
            "contacted hosts",
            "ip address",
            "process details",
            "size",
            "div id",
            "beginstring",
            "beginerror",
            "null",
            "error",
            "strings",
            "refresh",
            "tools",
            "onload",
            "click",
            "span",
            "remote access"
          ],
          "references": [
            "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
            "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
            "CodeOverlap | All malware listed exists",
            "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
            "All #tags auto populated.",
            "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
            "blog.manpowergroup.com.py (aww like dadvocates)",
            "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
            "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
              "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
              "target": null
            },
            {
              "id": "Win.Malware.Tfuvtcog-7194372-0",
              "display_name": "Win.Malware.Tfuvtcog-7194372-0",
              "target": null
            },
            {
              "id": "Trojan.Win32.Fakemalard",
              "display_name": "Trojan.Win32.Fakemalard",
              "target": null
            },
            {
              "id": "Code Overlap",
              "display_name": "Code Overlap",
              "target": null
            },
            {
              "id": "Trojan.Win32.Banload",
              "display_name": "Trojan.Win32.Banload",
              "target": null
            },
            {
              "id": "Formbook",
              "display_name": "Formbook",
              "target": null
            },
            {
              "id": "Malware",
              "display_name": "Malware",
              "target": null
            },
            {
              "id": "Too much to search for",
              "display_name": "Too much to search for",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [
            "Medical",
            "Media",
            "Government."
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 609,
            "URL": 1550,
            "domain": 280,
            "FileHash-SHA256": 1428,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 115,
            "SSLCertFingerprint": 4
          },
          "indicator_count": 4119,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "232 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68c62306c74c7f57dc993d13",
          "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades",
          "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago,  claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate",
          "modified": "2025-10-14T01:04:58.605000",
          "created": "2025-09-14T02:05:58.793000",
          "tags": [
            "denver",
            "jeffrey reimer",
            "star rating",
            "appointment",
            "post",
            "response are",
            "listened",
            "wait",
            "reimer",
            "healthgrades",
            "reply flag",
            "doctors",
            "find",
            "jeff",
            "back",
            "aurora",
            "leave",
            "crying",
            "tips",
            "tags na",
            "utc scorecard",
            "research beacon",
            "utc yahoo",
            "dot tags",
            "united",
            "mozilla",
            "write c",
            "nsisinetc",
            "undetermined",
            "medium",
            "intel",
            "ms windows",
            "write",
            "trojan",
            "defender",
            "delphi",
            "win32",
            "malware",
            "win64",
            "local",
            "next",
            "code overlap",
            "dynamicloader",
            "as15169",
            "brazil as28604",
            "brazil as396982",
            "upatre",
            "passive dns",
            "title error",
            "ipv4 add",
            "pulse pulses",
            "urls",
            "files",
            "reverse dns",
            "location united",
            "america flag",
            "body",
            "script script",
            "powder sdk",
            "a domains",
            "title",
            "script",
            "certificate",
            "hostname add",
            "pulse submit",
            "meta",
            "learn",
            "command",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "spawns",
            "evasion att",
            "t1480 execution",
            "signing defense",
            "flag",
            "whois privacy",
            "service name",
            "server",
            "contacted hosts",
            "ip address",
            "process details",
            "size",
            "div id",
            "beginstring",
            "beginerror",
            "null",
            "error",
            "strings",
            "refresh",
            "tools",
            "onload",
            "click",
            "span",
            "remote access"
          ],
          "references": [
            "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
            "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
            "CodeOverlap | All malware listed exists",
            "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
            "All #tags auto populated.",
            "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
            "blog.manpowergroup.com.py (aww like dadvocates)",
            "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
            "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
              "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.",
              "target": null
            },
            {
              "id": "Win.Malware.Tfuvtcog-7194372-0",
              "display_name": "Win.Malware.Tfuvtcog-7194372-0",
              "target": null
            },
            {
              "id": "Trojan.Win32.Fakemalard",
              "display_name": "Trojan.Win32.Fakemalard",
              "target": null
            },
            {
              "id": "Code Overlap",
              "display_name": "Code Overlap",
              "target": null
            },
            {
              "id": "Trojan.Win32.Banload",
              "display_name": "Trojan.Win32.Banload",
              "target": null
            },
            {
              "id": "Formbook",
              "display_name": "Formbook",
              "target": null
            },
            {
              "id": "Malware",
              "display_name": "Malware",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [
            "Medical",
            "Media",
            "Government."
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 609,
            "URL": 1550,
            "domain": 280,
            "FileHash-SHA256": 1428,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 115,
            "SSLCertFingerprint": 4
          },
          "indicator_count": 4119,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "232 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "684a3719a2708183b1b16d00",
          "name": "Follow Bot (black-basta_cova_cryptb) affects threat researcher(s)account(s)",
          "description": "Surprised: \nFollow bot account  affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. \n\n\n(00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | =\nfollow) \n|| {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer\nFastCopy5.9.0.exe}\n\nET DNS Query for .cc \n PROTOCOL-ICMP PATH MTU denial of service attempt\nPROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set",
          "modified": "2025-07-12T01:02:11.925000",
          "created": "2025-06-12T02:10:33.839000",
          "tags": [
            "gtmkvjvztk",
            "open threat",
            "learn",
            "levelblue",
            "exchange meta",
            "tags twitter",
            "alienvault",
            "script tags",
            "iframe tags",
            "google tag",
            "html internet",
            "html document",
            "ascii text",
            "ta0004 defense",
            "evasion ta0005",
            "command",
            "control ta0011",
            "number",
            "cnmicrosoft ecc",
            "update secure",
            "server ca",
            "cus subject",
            "stwa lredmond",
            "omicrosoft c",
            "resolved ips",
            "get http",
            "dns resolutions",
            "request",
            "response",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "defense evasion",
            "ta0009 command",
            "impact ta0040",
            "catalog tree",
            "analysis ob0001",
            "analysis ob0002",
            "ob0007 impact",
            "ob0012 file",
            "system oc0001",
            "process oc0003",
            "data oc0004",
            "oc0008",
            "get https",
            "vis1",
            "oid2",
            "post https",
            "cjutxg",
            "base64uidenc",
            "error https"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 27,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 162,
            "FileHash-SHA1": 28,
            "FileHash-SHA256": 2459,
            "domain": 889,
            "hostname": 1217,
            "URL": 4326,
            "FilePath": 1
          },
          "indicator_count": 9082,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "326 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "67f5555b6ce863d998e83e26",
          "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net",
          "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-<UUID>.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.",
          "modified": "2025-05-11T19:03:59.885000",
          "created": "2025-04-08T16:56:59.641000",
          "tags": [
            "generated from",
            "do not",
            "edit uri",
            "urls",
            "edit",
            "rewriteengine",
            "rewritecond",
            "rewriterule",
            "r301",
            "xml2encalias",
            "beralloct",
            "berbvarrayadd",
            "berbvarrayfree",
            "berbvdup",
            "berbvecadd",
            "berbvecfree",
            "berbvfree",
            "berdump",
            "berdup",
            "berdupbv",
            "laerrordomain",
            "laerrornoncekey",
            "lamechanismtree",
            "lacontext",
            "ladomainstate",
            "laenvironment",
            "lanotification",
            "laprivatekey",
            "lapublickey",
            "laright",
            "apple swift",
            "o librarylevel",
            "combine import",
            "foundation",
            "swift import",
            "mcpeerid",
            "mcsession",
            "property",
            "copyright",
            "protocol",
            "class",
            "bonjour",
            "ascii lowercase",
            "abc company",
            "section",
            "bonjour txt",
            "note",
            "ui element",
            "utf8 encoding",
            "nscopying",
            "nsdictionary",
            "nsstring",
            "mcextern",
            "attribute",
            "mcextern extern",
            "mcexternweak",
            "nsenum",
            "nsinteger",
            "mcerrorcode",
            "mcerrorunknown",
            "mcerrortimedout",
            "peer",
            "example",
            "bonjour apis",
            "stop",
            "tags",
            "session",
            "nsprogress",
            "nserror",
            "nsurl",
            "nsarray",
            "create",
            "nsuinteger",
            "notifies",
            "mcsession api",
            "interface",
            "dbictrace",
            "dbivporth",
            "dbictracelevel",
            "dbdtffoo",
            "dbihseterrchar",
            "dbicstate",
            "dbictraceflags",
            "provides macros",
            "dbi release",
            "only",
            "sqlsuccess",
            "odbc",
            "sqlok",
            "tim bunce",
            "england",
            "sql cli",
            "sql datatype",
            "sqlguid",
            "sqlwlongvarchar",
            "main",
            "beware",
            "sv sth",
            "sv dbh",
            "impsth",
            "impdbh",
            "sv keysv",
            "sv params",
            "sv attr",
            "sv attribs",
            "sv drh",
            "void",
            "fri jul",
            "mixed",
            "dbixsrevision",
            "plsvundef",
            "license",
            "spagain",
            "perlioprintf",
            "dbiclogpio",
            "putback",
            "ireland",
            "gnu general",
            "super",
            "magic",
            "dbicflags",
            "dbis",
            "svrv",
            "null",
            "imp2com",
            "dbicactivekids",
            "dbicfiadestroy",
            "sv h",
            "dbicdbistate",
            "code",
            "copy",
            "refer",
            "trace",
            "error",
            "unknown",
            "hookopcheckh",
            "startexternc",
            "hookopcheckcb",
            "userdata",
            "endexternc",
            "isinternalbuild",
            "kickmcxdforuid",
            "loadappkit",
            "ardconfig",
            "authenticator",
            "dsauthenticator",
            "dsnode",
            "dsrecord",
            "group",
            "hostconfig",
            "apfsvolumelock",
            "apfsvolumerole",
            "aoskgetosinfo",
            "aoskgetuserinfo",
            "aosaddappleid",
            "aosdisablepcs",
            "aosenablepcs",
            "aoslog",
            "aoslogforce",
            "aosrelaycookie",
            "didfailcallback",
            "kaosaccountkey",
            "kapcsbundle",
            "kapcspath",
            "kjsonextension",
            "apcsbucketid",
            "apcsreports",
            "apconfiguration",
            "apversiondata",
            "apversionhelper",
            "systemvolumesvm",
            "name size",
            "identifier",
            "gb disk0s3",
            "devdisk3",
            "apfs container",
            "scheme",
            "physical store",
            "macintosh hd",
            "apfs snapshot",
            "preboot",
            "refs address",
            "size wired",
            "name",
            "version",
            "uuid",
            "linked against",
            "renderer",
            "helper",
            "chrome helper",
            "contains",
            "cloud ui",
            "macintosh",
            "khtml",
            "gecko",
            "ui helper",
            "plugin",
            "service",
            "good",
            "battery power",
            "apfs encryption",
            "jumpcloud go",
            "chrome web",
            "store",
            "privacy badger",
            "flowcrypt",
            "encrypt gmail",
            "simple",
            "google",
            "b2b phone",
            "number",
            "apollo",
            "future",
            "exccrash",
            "sigkill",
            "code signature",
            "invalid",
            "sigabrt",
            "protonvpn",
            "excguard",
            "excbreakpoint",
            "sigtrap",
            "excbadaccess",
            "appl",
            "english",
            "adobe crash",
            "adobe",
            "acrobat dcadobe",
            "processor",
            "uninstaller",
            "assistant",
            "install",
            "cloud",
            "dock",
            "calendar",
            "music",
            "terminal",
            "tips",
            "installer",
            "updater",
            "proton",
            "tools",
            "stub",
            "python",
            "clock",
            "powershell",
            "team",
            "rave scout",
            "cookies",
            "public folder",
            "key cert",
            "sign",
            "crl sign",
            "root ca",
            "authority",
            "public primary",
            "global root",
            "verisign",
            "academic",
            "premium",
            "adaptive",
            "interactive",
            "background",
            "standard",
            "launchd sandbox",
            "s mdworker",
            "agent",
            "command line",
            "progress",
            "yubico",
            "macos13action",
            "disableoverride",
            "disableairdrop",
            "denyactivation",
            "enable",
            "loginwindowtext",
            "jumpcloud",
            "autoupdate",
            "loggingoption",
            "enablefirewall",
            "arm64e",
            "apple m2",
            "mac142",
            "kjqqtw7pqt",
            "daemon",
            "server",
            "open directory",
            "user",
            "account",
            "kerberos admin",
            "kerberos change",
            "device daemon",
            "network",
            "desktop",
            "screensaver",
            "bridge",
            "aesxtsarm",
            "aesecbarm",
            "sha512vngarmhw",
            "sha384vngarmhw",
            "sha256vngarm",
            "sha1vngarm",
            "darwin kernel",
            "wed mar",
            "wkarraycreate",
            "wkbooleancreate",
            "wkcontextcreate",
            "wkdatacreate",
            "wkdatagettypeid",
            "wkdoublecreate",
            "wkframecopyurl",
            "wkgettypeid",
            "wkimagecreate",
            "wkpagecandelete",
            "webview",
            "notice",
            "this software",
            "including",
            "but not",
            "limited to",
            "redistribution",
            "is provided",
            "by apple",
            "direct",
            "damage",
            "apiavailable",
            "webkit",
            "nsswiftname",
            "document",
            "a block",
            "as is",
            "hasinclude",
            "wkdownload",
            "abstract",
            "wkerrorcode",
            "wkerrorunknown",
            "discussion",
            "bool",
            "whether",
            "wkcontentworld",
            "wkwebview",
            "javascript",
            "nsunavailable",
            "vaargs",
            "nsswiftasync",
            "wkswiftasync",
            "wkcookiepolicy",
            "wkswiftuiactor",
            "nshttpcookie",
            "targetosiphone",
            "wknavigation",
            "decides",
            "boolean value",
            "apideprecated",
            "methodkind",
            "wkerrordomain",
            "wkscriptmessage",
            "promise",
            "fulfill",
            "const",
            "url scheme",
            "mark",
            "wkuserscript",
            "targetosvision",
            "param",
            "wkframeinfo",
            "targetosios",
            "pass",
            "window",
            "mime type",
            "link",
            "nsimage",
            "returns",
            "nsset",
            "checks",
            "matches",
            "a boolean",
            "defaults",
            "wkwebextension",
            "cgsize",
            "uiimage",
            "apis",
            "nsdate",
            "wkcontentmode",
            "wkextern",
            "possible",
            "cgfloat",
            "media",
            "cgrect",
            "apiunavailable",
            "framework",
            "nsswiftuiactor",
            "targetoswatch",
            "confirms",
            "apple upgrade",
            "nsstring user",
            "nsobject",
            "provider",
            "apple",
            "password",
            "uicontrol",
            "nscontrol",
            "asuseragerange",
            "check",
            "opaque user",
            "apple id",
            "initiate",
            "asauthorization",
            "operation",
            "state",
            "nserrorenum",
            "nsdata",
            "relying party",
            "asapiavailable",
            "perform",
            "realm",
            "http response",
            "authorization",
            "http",
            "oauth",
            "saml",
            "a byte",
            "nsdata userid",
            "relying",
            "a string",
            "nsdata readdata",
            "bool didwrite",
            "a cose",
            "nsdata first",
            "nsdata second",
            "nsstring name",
            "bool appid",
            "targetosxr",
            "nsstring appid",
            "bluetooth",
            "mdm profile",
            "nsurl url",
            "returns yes",
            "a state",
            "a json",
            "web token",
            "private seckeys",
            "enables",
            "keychain",
            "asswiftsendable",
            "cose algorithm",
            "ecdsa",
            "sha256",
            "cose curve",
            "p256",
            "nullable",
            "bool success",
            "remove",
            "call",
            "complete",
            "initializes",
            "time code",
            "extensions",
            "asextern extern",
            "asextern",
            "nsswiftsendable",
            "prepare",
            "list",
            "nsextension",
            "attempt",
            "nsstring label",
            "creates",
            "nsstring code",
            "a key",
            "webauthn",
            "nssecurecoding",
            "input",
            "output",
            "initialize",
            "nsinteger rank",
            "json",
            "inputs",
            "hash",
            "nsstring origin",
            "settings app",
            "extension",
            "https urls",
            "safari",
            "cancel",
            "nsuuid uuid",
            "r uftpexu",
            "nsmutabledata",
            "vnsdate",
            "mprcjy",
            "postfix",
            "domain",
            "canonical",
            "tables",
            "ldap",
            "post",
            "replace user",
            "address",
            "wietse venema",
            "bugs",
            "mail",
            "aliases",
            "postfix version",
            "restrict",
            "sample",
            "person",
            "basic system",
            "general",
            "reject empty",
            "postfix smtp",
            "ipv6 host",
            "reject",
            "reply",
            "access",
            "prior",
            "hold",
            "info",
            "mail delivery",
            "charset",
            "system",
            "report",
            "postfix dsn",
            "mail returned",
            "this",
            "generic",
            "smtp",
            "isp mail",
            "mime",
            "headerchecks",
            "readme files",
            "filters while",
            "posix",
            "empty",
            "body",
            "write",
            "date",
            "smtp server",
            "specify",
            "mx host",
            "unix password",
            "user unknown",
            "pathbin",
            "postfix queue",
            "unix",
            "cyrus",
            "path",
            "uucp",
            "shell",
            "local",
            "program",
            "agreement",
            "contributor",
            "recipient",
            "contribution",
            "the program",
            "corporation",
            "contributors",
            "product x",
            "as expressly",
            "arch",
            "arch x8664",
            "pipe wall",
            "wimplicit",
            "ranlib",
            "warn",
            "switch",
            "start",
            "systype",
            "outlook",
            "postfix master",
            "begin",
            "server admin",
            "mail backend",
            "modern smtp",
            "iana",
            "many",
            "postfix pipe",
            "recent cyrus",
            "amos gouaux",
            "old example",
            "or even",
            "lutz jaenicke",
            "technology",
            "cottbus",
            "germany",
            "openssl package",
            "openssl project",
            "europe",
            "remember that",
            "use of",
            "file",
            "update",
            "usrsbin",
            "file format",
            "no group",
            "daemondirectory",
            "deliver mail",
            "transport",
            "description",
            "result format",
            "virtual",
            "virtual alias",
            "redirect mail",
            "relocated",
            "matches user",
            "synopsis",
            "lastname",
            "firstname",
            "apple computer",
            "tcpip",
            "supported",
            "quantum",
            "facility",
            "level",
            "level info",
            "broadcast",
            "ignore",
            "rules",
            "sender",
            "automounter map",
            "use directory",
            "get home",
            "home autohome",
            "true",
            "t option",
            "mount",
            "force",
            "environment",
            "automountdenv",
            "promptcommand",
            "shellsessiondir",
            "histfile",
            "histfilesize",
            "myvar",
            "histtimeformat",
            "arrange",
            "bashrematch",
            "tell",
            "ps1h",
            "make bash",
            "s checkwinsize",
            "etcbashrc",
            "termprogram",
            "inpck",
            "nnnbaud",
            "berkeley",
            "parity",
            "pc entry",
            "pass8",
            "parenb istrip",
            "fixed speed",
            "entry",
            "clocal mode",
            "maxhistsize",
            "promptmode",
            "verbose end",
            "etcirbrcloaded",
            "default",
            "setup",
            "history file",
            "kernel",
            "readline",
            "jabber",
            "group database",
            "dovecot",
            "postfix scsd",
            "networkd",
            "searchpaths",
            "freebsd",
            "tmpdir",
            "fcodes",
            "prunepaths",
            "vartmp",
            "prunedirs",
            "filesystems",
            "nroff",
            "manpath",
            "uncomment",
            "manpager",
            "whatispager",
            "manlocale",
            "every",
            "manpath optman",
            "maybe",
            "troff",
            "status mailfrom",
            "returnpath via",
            "pidfile",
            "flags",
            "bcgjnuwz",
            "bin usrsbin",
            "sbin",
            "default pf",
            "care",
            "audio",
            "user database",
            "unix copy",
            "gate daemon",
            "bashno",
            "r etcbashrc",
            "rfc1323",
            "m1460",
            "macos x",
            "signature",
            "linux",
            "opera",
            "xp sp1",
            "windows sp1",
            "nmap syn",
            "m265",
            "synack",
            "mind",
            "macos",
            "warp",
            "ipv6",
            "internet",
            "icmp",
            "cisco",
            "monitoring",
            "argus",
            "chaos",
            "rsvp",
            "encapsulation",
            "aris",
            "isis",
            "netbootmount",
            "netbootshadow",
            "computername",
            "localonly",
            "localnetbootdir",
            "netboot",
            "define",
            "purpose",
            "networkonly",
            "waiting",
            "networkup",
            "term",
            "devnull",
            "common setup",
            "configure",
            "set command",
            "dns hostname",
            "dns query",
            "see also",
            "kame",
            "sunnet manager",
            "rpcsrc",
            "netlicense",
            "ftpd",
            "bindash binksh",
            "binsh bintcsh",
            "jumpcloud ldap",
            "smb2",
            "security",
            "workgroup",
            "standalone",
            "samba server",
            "enforce",
            "smb3",
            "example share",
            "improper use",
            "ctrlc",
            "none",
            "fax reception",
            "hardwired",
            "0007",
            "must",
            "visudo",
            "blocksize",
            "charset lang",
            "language lcall",
            "lines columns",
            "lscolors",
            "sshauthsock",
            "orion",
            "setup user",
            "home",
            "zdotdir",
            "delete",
            "beep",
            "vendor",
            "kf10",
            "kf11",
            "kf12",
            "kf13",
            "backspace",
            "insert",
            "resume",
            "termsessionid",
            "savehist",
            "sharehistory",
            "h do",
            "volume",
            "de l",
            "l uuid",
            "m tra",
            "n est",
            "suuid",
            "prfen",
            "fusion",
            "syst",
            "look",
            "executant",
            "alla",
            "over",
            "test",
            "overie",
            "zapis",
            "rapid",
            "disco usa",
            "de macos",
            "nie s",
            "i denne",
            "adgjmpsvx",
            "diskgthis disk",
            "01k8x j",
            "34disk",
            "levy kytt",
            "dict",
            "array",
            "plist",
            "apple root",
            "code signing",
            "inode64r",
            "xofkoxzh",
            "integer",
            "doctype",
            "brain",
            "abcd",
            "ogwo",
            "boaw",
            "cobwa",
            "uhawavauatsh",
            "ip bitmap",
            "foewdc",
            "could",
            "ip block",
            "funcs",
            "cogwo",
            "trash",
            "double",
            "hunt",
            "affa",
            "carr",
            "crypto",
            "docwbac",
            "q1b0",
            "q1 0",
            "h h5",
            "docwbag",
            "slice",
            "format",
            "zero",
            "alfa",
            "hera",
            "lelei",
            "hehe",
            "hisp",
            "fail",
            "katy",
            "zakk",
            "eodwcbgao",
            "hhk8di",
            "alma",
            "topo",
            "open",
            "huhk",
            "piper",
            "hehx",
            "eh ui",
            "h20hph",
            "hif h",
            "hmhhihqhyla hq",
            "r11b0",
            "target",
            "uus10u",
            "hifh",
            "loghookfailed",
            "loghook",
            "hell",
            "q1b 0",
            "f duh",
            "aqw1",
            "1160"
          ],
          "references": [
            "index.html.en",
            "bind.html",
            "caching.html",
            "BUILDING",
            "configuring.html",
            "content-negotiation.html",
            "custom-error.html",
            "convenience.map",
            "LDAP.tbd",
            "lber.h",
            "ldap.h",
            "LocalAuthentication.tbd",
            "arm64e-apple-macos.swiftinterface",
            "x86_64-apple-ios-macabi.swiftinterface",
            "arm64e-apple-ios-macabi.swiftinterface",
            "x86_64-apple-macos.swiftinterface",
            "MultipeerConnectivity.tbd",
            "module.modulemap",
            "MCNearbyServiceAdvertiser.h",
            "MCPeerID.h",
            "MCError.h",
            "MCNearbyServiceBrowser.h",
            "MCAdvertiserAssistant.h",
            "MultipeerConnectivity.apinotes",
            "MultipeerConnectivity.h",
            "MCSession.h",
            "MCBrowserViewController.h",
            "dbivport.h",
            "dbi_sql.h",
            "dbd_xsh.h",
            "dbixs_rev.h",
            "Driver_xst.h",
            "DBIXS.h",
            "hook_op_check.h",
            "Admin.tbd",
            "AirPlayReceiver.tbd",
            "apfs_boot_mount.tbd",
            "AOSKit.tbd",
            "APConfigurationSystem.tbd",
            "AppleFirmwareUpdate.tbd",
            "launchdaemons.txt",
            "preboot_archive_errors.log",
            "mounts.txt",
            "launchagents.txt",
            "disk_structure.txt",
            "user_launchagents.txt",
            "security_status.txt",
            "kexts.txt",
            "process_list.txt",
            "battery.csv",
            "diskEncryption.csv",
            "chromeExtensions.csv",
            "crashes.csv",
            "interfaceAddrs.csv",
            "kernel.csv",
            "interfaceDetails.csv",
            "etcHosts.csv",
            "applications.csv",
            "mounts.csv",
            "sharedFolders.csv",
            "certificates.csv",
            "sharingPreferences.csv",
            "launchD.csv",
            "usbDevices.csv",
            "managedPolicies.csv",
            "systemInfo.csv",
            "users.csv",
            "sipConfig.csv",
            "systemControls.csv",
            "canonical",
            "aliases",
            "custom_header_checks",
            "access",
            "bounce.cf.default",
            "generic",
            "header_checks",
            "main.cf.default",
            "LICENSE",
            "makedefs.out",
            "main.cf",
            "master.cf.default",
            "main.cf.proto",
            "master.cf.proto",
            "master.cf",
            "TLS_LICENSE",
            "postfix-files",
            "transport",
            "virtual",
            "relocated",
            "afpovertcp.cfg",
            "asl.conf",
            "auto_home",
            "auto_master",
            "autofs.conf",
            "bashrc_Apple_Terminal",
            "com.apple.screensharing.agent.launchd",
            "bashrc",
            "command_args.json",
            "csh.cshrc",
            "csh.login",
            "find.codes",
            "csh.logout",
            "ftpusers",
            "gettytab",
            "irbrc",
            "kern_loader.conf",
            "group",
            "locate.rc",
            "man.conf",
            "mail.rc",
            "manpaths",
            "networks",
            "nfs.conf",
            "newsyslog.conf",
            "ntp_opendirectory.conf",
            "ntp.conf",
            "notify.conf",
            "paths",
            "pf.conf",
            "passwd",
            "profile",
            "pf.os",
            "protocols",
            "rc.netboot",
            "rc.common",
            "rmtab",
            "resolv.conf",
            "rtadvd.conf",
            "rpc",
            "shells",
            "smb.conf",
            "sudo_lecture",
            "ttys",
            "syslog.conf",
            "xtab",
            "sudoers",
            "zprofile",
            "zshrc",
            "zshrc_Apple_Terminal",
            "CodeResources",
            "version.plist",
            "Info.plist"
          ],
          "public": 1,
          "adversary": "DragonForce Malaysia Hacker Group",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Lastname",
              "display_name": "Lastname",
              "target": null
            },
            {
              "id": "Firstname",
              "display_name": "Firstname",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 66,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "ilyailya",
            "id": "298851",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 4449,
            "domain": 3847,
            "URL": 14263,
            "FileHash-SHA256": 2356,
            "FileHash-MD5": 223,
            "FileHash-SHA1": 523,
            "email": 223,
            "CVE": 40,
            "CIDR": 12,
            "SSLCertFingerprint": 302
          },
          "indicator_count": 26238,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 37,
          "modified_text": "387 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "67d35792ef3a887aac1d88a4",
          "name": "ThreatIntelligence | Spyware | Pegasus | Berbew | Government | Facebook",
          "description": "The following indicators have been discovered on a device infected with software similar to Pegasus.  If you find any of these indicators, you are infected with Pegasus or any other similar software.  It has been detected that the connections are made automatically and are not related to any application.  Also, in case most applications are prohibited from accessing the Internet, it disguises itself as legitimate traffic in applications that do have Internet access.  Practically undetectable spyware.  No antivirus is capable of detecting it.  Affected systems: Windows 7, 8, 8.1, 10, and 11 - Android 11 and above.",
          "modified": "2025-04-12T21:01:38.944000",
          "created": "2025-03-13T22:09:22.635000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Spain"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - S0316",
              "display_name": "Pegasus for Android - S0316",
              "target": null
            },
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "#HackTool:PowerShell/Powersploit",
              "display_name": "#HackTool:PowerShell/Powersploit",
              "target": "/malware/#HackTool:PowerShell/Powersploit"
            }
          ],
          "attack_ids": [
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            },
            {
              "id": "T1557",
              "name": "Man-in-the-Middle",
              "display_name": "T1557 - Man-in-the-Middle"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1059.003",
              "name": "Windows Command Shell",
              "display_name": "T1059.003 - Windows Command Shell"
            },
            {
              "id": "T1211",
              "name": "Exploitation for Defense Evasion",
              "display_name": "T1211 - Exploitation for Defense Evasion"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 13,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "donotspyme",
            "id": "312388",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 28,
            "domain": 6,
            "URL": 15,
            "FileHash-SHA256": 251,
            "CVE": 1
          },
          "indicator_count": 301,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 23,
          "modified_text": "416 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66f235b9a7a94a6a61acd651",
          "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan",
          "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.",
          "modified": "2025-03-07T08:38:08.584000",
          "created": "2024-09-24T03:44:57.902000",
          "tags": [
            "geoip",
            "public url",
            "as16509",
            "amazon02",
            "as20940",
            "akamaiasn1",
            "as8075",
            "as15169",
            "google",
            "akamaias",
            "facebook",
            "telecom",
            "twitter",
            "media",
            "win64",
            "level3",
            "mini",
            "ukraine",
            "proton",
            "ghost",
            "win32",
            "cuba",
            "mexico",
            "indonesia",
            "seznam",
            "as3359",
            "as852"
          ],
          "references": [
            "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1",
            "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c",
            "https://n0paste.eu/UH6n5pD/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Anguilla",
            "Poland",
            "Aruba",
            "Australia",
            "Barbados",
            "Costa Rica",
            "Guatemala",
            "Philippines",
            "Panama",
            "Sint Maarten (Dutch part)",
            "Saint Martin (French part)",
            "Cayman Islands",
            "Cura\u00e7ao",
            "Mexico",
            "Saint Vincent and the Grenadines",
            "Saint Kitts and Nevis",
            "Tanzania, United Republic of",
            "Netherlands",
            "Ukraine",
            "Trinidad and Tobago",
            "Japan",
            "Bahamas",
            "United Kingdom of Great Britain and Northern Ireland",
            "Georgia"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Technology",
            "Government",
            "Telecommunications",
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1,
            "CIDR": 1186,
            "CVE": 4,
            "FileHash-MD5": 29,
            "FileHash-SHA1": 3,
            "URL": 25493,
            "domain": 5396,
            "email": 10,
            "hostname": 10770
          },
          "indicator_count": 42892,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 149,
          "modified_text": "452 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "656aafd0e93efa420f74123c",
          "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
          "description": "",
          "modified": "2024-10-12T01:00:47.836000",
          "created": "2023-12-02T04:17:20.189000",
          "tags": [
            "ssl certificate",
            "contacted",
            "threat roundup",
            "whois record",
            "communicating",
            "subdomains",
            "resolutions",
            "june",
            "july",
            "october",
            "august",
            "noname057",
            "generic malware",
            "ice fog",
            "tag count",
            "thu nov",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "first",
            "generic",
            "detection list",
            "blacklist http",
            "cisco umbrella",
            "site",
            "heur",
            "alexa top",
            "safe site",
            "million",
            "malware",
            "alexa",
            "malware site",
            "malicious site",
            "unsafe",
            "artemis",
            "fakealert",
            "exploit",
            "opencandy",
            "riskware",
            "genkryptik",
            "iframe",
            "tiggre",
            "presenoker",
            "agent",
            "conduit",
            "wacatac",
            "phishing",
            "redline stealer",
            "dropper",
            "cobalt strike",
            "acint",
            "nircmd",
            "swrort",
            "downldr",
            "systweak",
            "behav",
            "crack",
            "filetour",
            "cleaner",
            "installpack",
            "xrat",
            "fusioncore",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "blacknet rat",
            "stealer",
            "maltiverse",
            "webtoolbar",
            "trojanspy",
            "united",
            "engineering",
            "cyber threat",
            "phishing site",
            "america",
            "emotet",
            "zbot",
            "malicious",
            "steam",
            "team",
            "indonesia",
            "miner",
            "ransomware",
            "ramnit",
            "pe resource",
            "historical ssl",
            "execution",
            "hacktool",
            "metasploit",
            "relic",
            "monitoring",
            "android",
            "skynet",
            "et",
            "anonymizer",
            "trojanx",
            "back",
            "laplasclipper",
            "win64",
            "trojan",
            "ghost rat",
            "suppobox",
            "asyncrat",
            "union",
            "samples",
            "blacklist",
            "malicious url",
            "hostname",
            "hostnames",
            "tsara brashears",
            "reinsurance",
            "pinnacol insurance",
            "industry and commerce",
            "state",
            "danger",
            "warning",
            "nr-data.net",
            "apple",
            "data.net",
            "asp.net",
            "domains",
            "hashes",
            "reverse dns",
            "general full",
            "resource",
            "software",
            "asn15169",
            "google",
            "url http",
            "server",
            "hash",
            "get h2",
            "main",
            "cookie",
            "thu dec",
            "germany",
            "frankfurt",
            "netherlands",
            "asn20446",
            "highwinds3",
            "page url",
            "search live",
            "api blog",
            "docs pricing",
            "tags",
            "november",
            "us summary",
            "http",
            "google safe",
            "browsing",
            "adware",
            "xtrat",
            "firehol",
            "microsoft",
            "control server",
            "services",
            "msil",
            "hiloti",
            "asn16509",
            "amazon02",
            "fastly",
            "asn54113",
            "prague",
            "login",
            "listen live",
            "centura health",
            "colorado jobs",
            "eeo public",
            "filing url",
            "blacklist https",
            "mimikatz",
            "beach research",
            "de indicators",
            "copyright",
            "gmbh version",
            "follow",
            "softcnapp",
            "philadelphia",
            "gamehack",
            "value",
            "line",
            "variables",
            "nreum",
            "postrelease",
            "url https",
            "security tls",
            "protocol h2",
            "name value",
            "scam",
            "gesponsert url",
            "outputldjh",
            "oid2",
            "uhis2",
            "uh1200",
            "uw1600",
            "uah1200",
            "uaw1600",
            "ucd24",
            "usd1",
            "utz60",
            "no data",
            "coinminer",
            "ip address",
            "exchange",
            "http attacker",
            "states",
            "jimburkedentistry",
            "leder-family",
            "adam lee",
            "erika lee",
            "malvertizing"
          ],
          "references": [
            "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
            "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
            "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
            "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
            "http://tracks.theleders.family",
            "photos.theleders.family",
            "http://45.159.189.105/bot/regex      (tracks Tsara Brashears)",
            "45.159.189.105                   (CNC IP \u2022 Tracking Tsara Brashears)",
            "http://mobtrack.trkclk.net",
            "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "nr-data.net",
            "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
            "103.233.208.9                    (CNC IP)",
            "apex.jquery.com             (scammer | works for who?)",
            "api.useragentswitch.com",
            "bam-cell.nr-data.net        (Apple Private Data Collection | since found, result continuously modified)",
            "dns.google                          (DNS client services - Doug Cole)",
            "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
            "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
            "apple-dns.net",
            "emails.redvue.com  (apple DNS w/amvima)",
            "142.250.180.4 (init.ess)",
            "init.ess.apple.com   (Highly malicious. Will infiltrate devices when exploited. Spyware)",
            "freeimdatingsites.thomasdobo.eu",
            "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
            "https://urlscan.io/domain/maxwam.tk",
            "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Generic",
              "display_name": "Generic",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Beach Research",
              "display_name": "Beach Research",
              "target": null
            },
            {
              "id": "GameHack",
              "display_name": "GameHack",
              "target": null
            },
            {
              "id": "States",
              "display_name": "States",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1123",
              "name": "Audio Capture",
              "display_name": "T1123 - Audio Capture"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6562908e28e6cdc237fbf8db",
          "export_count": 107,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1956,
            "FileHash-SHA1": 867,
            "FileHash-SHA256": 3895,
            "URL": 11195,
            "domain": 2959,
            "hostname": 3575,
            "CVE": 16,
            "SSLCertFingerprint": 1,
            "email": 1
          },
          "indicator_count": 24465,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "599 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66c52e830f0f0b98744fc83c",
          "name": "Ransom:Win32/LockScreen.BN",
          "description": "",
          "modified": "2024-09-15T14:36:33.834000",
          "created": "2024-08-21T00:02:11.443000",
          "tags": [
            "browser",
            "navegador",
            "ver los",
            "download",
            "tsara brashears",
            "tsara",
            "links",
            "search",
            "watch tsara",
            "google search",
            "please click",
            "accessibility",
            "skip",
            "footer",
            "url https",
            "all scoreblue",
            "report spam",
            "output",
            "hours ago",
            "amber a",
            "porn",
            "malvertising",
            "thebrotherssabey",
            "injection",
            "contacted",
            "cybercrime",
            "view",
            "unsupported",
            "javascript",
            "download",
            "get her",
            "videos maps",
            "images news",
            "fake news",
            "please",
            "let me jerk",
            "pornhub subsidiary",
            "google search",
            "any source",
            "videos",
            "watch",
            "any quality",
            "any quality videos",
            "as47846",
            "germany unknown",
            "levelblue",
            "open threat",
            "endpoints all",
            "spam",
            "brashears",
            "xxx videos",
            "researched",
            "url http",
            "college guy",
            "fuck",
            "available now",
            "pics",
            "vids",
            "custom and",
            "premade",
            "feet pics",
            "and vids",
            "tape",
            "diamond",
            "maya",
            "xxx video",
            "twitter",
            "brian sabey",
            "hallrender",
            "delete c",
            "crlf line",
            "ms windows",
            "intel",
            "united",
            "write c",
            "utf8",
            "read c",
            "show",
            "unknown",
            "copy",
            "plugx",
            "write",
            "malware",
            "winnt",
            "next",
            "encrypt",
            "jaik",
            "heur",
            "custom malware",
            "botnet",
            "templates",
            "dynamicloader",
            "high",
            "yara rule",
            "tofsee",
            "windows",
            "medium",
            "sha256",
            "ids detections",
            "yara detections",
            "less see",
            "stream",
            "grum",
            "ransom",
            "delphi",
            "attempts",
            "power",
            "sniffs",
            "guard",
            "images"
          ],
          "references": [
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "https://www.google.com/search?q=tsara+brashears&prmd=vni&source=lnms&tbm=vid&sa=X&ved=2ahUKEwimqvSyxKrpAhUHTt8KHReZC7wQ_AUoAXoECAsQAQ&biw=375&bih=544&dpr=3/Malicious-Google-Search-Results-False",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
            "d1.cnbd.net  localhost.cnbd.net  mail.cnbd.net",
            "https://otx.alienvault.com/indicator/url/http://manage.netflix.com.usermanagement.key.1973573.net-server1.com",
            "https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
            "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger/",
            "Antivirus Detections: Win.Malware.Jaik-9940406-0",
            "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
            "Yara Defections: ConventionEngine_Keyword_Install Alerts PlugX",
            "Alerts: PlugX cape_extracted_content",
            "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0",
            "IDS Detections: Win32/Tofsee.AX google.com connectivity check",
            "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
            "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
            "Antivirus Detections: Win.Malware.Shellstartup-9892532-0 ,  Ransom:Win32/LockScreen.BN",
            "Yara Detections: Zeppelin_24 ,  Zeppelin_30 ,  Delphi",
            "Alerts: procmem_yara persistence_autorun modify_proxy disables_power_options",
            "Alerts: infostealer_cookies infostealer_keylog recon_fingerprint suspicious_command_tools",
            "Ransom:Win32/LockScreen.BN"
          ],
          "public": 1,
          "adversary": "Brian Sabey| The Brothers Sabey",
          "targeted_countries": [
            "United States of America",
            "Finland",
            "France",
            "Spain",
            "Croatia",
            "United Kingdom of Great Britain and Northern Ireland",
            "Singapore"
          ],
          "malware_families": [
            {
              "id": "Win.Malware.Jaik-9940406-0",
              "display_name": "Win.Malware.Jaik-9940406-0",
              "target": null
            },
            {
              "id": "Win.Packer.pkr_ce1a-9980177-0",
              "display_name": "Win.Packer.pkr_ce1a-9980177-0",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Win.Malware.Shellstartup-9892532-0",
              "display_name": "Win.Malware.Shellstartup-9892532-0",
              "target": null
            },
            {
              "id": "Ransom:Win32/LockScreen.BN",
              "display_name": "Ransom:Win32/LockScreen.BN",
              "target": "/malware/Ransom:Win32/LockScreen.BN"
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [
            "Telecommunications",
            "Technology",
            "Media",
            "Civilian Society",
            "Advocacy"
          ],
          "TLP": "green",
          "cloned_from": "66bf6eae14cd8d0495a31fc7",
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 267,
            "URL": 733,
            "domain": 130,
            "FileHash-SHA256": 1915,
            "FileHash-MD5": 620,
            "FileHash-SHA1": 534,
            "email": 2,
            "SSLCertFingerprint": 5
          },
          "indicator_count": 4206,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 227,
          "modified_text": "625 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66bf6eae14cd8d0495a31fc7",
          "name": "Ransom:Win32/LockScreen.BN",
          "description": "If attacker was in truth an attorney, threat actor would be aware that it is illegal and a civil rights violation that is recognized by the court of law.\nViolation of Kianna's Law \nHacking - Invasion of Privacy\nCopyright infringement\nFraudulent distribution of copyright protected [property for financial gain, libel, stalking, harassment, malicious distribution of address, phone number to ill intentioned individuals l and putting one in a bad light. Even if target was guilty of all of allegations posted to destroy her reputation; it is illegal to spread this information with intent. This has truthfully cost victim and family millions. Victim needs her name and reputation restored. She needs privacy and a right to feel safe. Retaliation is unnecessary. Jeffrey Scott Reimer DPT claimed on top of victim and critically injured her via sexual assault....she is 100% innocent.",
          "modified": "2024-09-15T14:01:41.523000",
          "created": "2024-08-16T15:22:22.249000",
          "tags": [
            "browser",
            "navegador",
            "ver los",
            "download",
            "tsara brashears",
            "tsara",
            "links",
            "search",
            "watch tsara",
            "google search",
            "please click",
            "accessibility",
            "skip",
            "footer",
            "url https",
            "all scoreblue",
            "report spam",
            "output",
            "hours ago",
            "amber a",
            "porn",
            "malvertising",
            "thebrotherssabey",
            "injection",
            "contacted",
            "cybercrime",
            "view",
            "unsupported",
            "javascript",
            "download",
            "get her",
            "videos maps",
            "images news",
            "fake news",
            "please",
            "let me jerk",
            "pornhub subsidiary",
            "google search",
            "any source",
            "videos",
            "watch",
            "any quality",
            "any quality videos",
            "as47846",
            "germany unknown",
            "levelblue",
            "open threat",
            "endpoints all",
            "spam",
            "brashears",
            "xxx videos",
            "researched",
            "url http",
            "college guy",
            "fuck",
            "available now",
            "pics",
            "vids",
            "custom and",
            "premade",
            "feet pics",
            "and vids",
            "tape",
            "diamond",
            "maya",
            "xxx video",
            "twitter",
            "brian sabey",
            "hallrender",
            "delete c",
            "crlf line",
            "ms windows",
            "intel",
            "united",
            "write c",
            "utf8",
            "read c",
            "show",
            "unknown",
            "copy",
            "plugx",
            "write",
            "malware",
            "winnt",
            "next",
            "encrypt",
            "jaik",
            "heur",
            "custom malware",
            "botnet",
            "templates",
            "dynamicloader",
            "high",
            "yara rule",
            "tofsee",
            "windows",
            "medium",
            "sha256",
            "ids detections",
            "yara detections",
            "less see",
            "stream",
            "grum",
            "ransom",
            "delphi",
            "attempts",
            "power",
            "sniffs",
            "guard",
            "images"
          ],
          "references": [
            "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
            "https://www.google.com/search?q=tsara+brashears&prmd=vni&source=lnms&tbm=vid&sa=X&ved=2ahUKEwimqvSyxKrpAhUHTt8KHReZC7wQ_AUoAXoECAsQAQ&biw=375&bih=544&dpr=3/Malicious-Google-Search-Results-False",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/",
            "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
            "d1.cnbd.net  localhost.cnbd.net  mail.cnbd.net",
            "https://otx.alienvault.com/indicator/url/http://manage.netflix.com.usermanagement.key.1973573.net-server1.com",
            "https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
            "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger/",
            "Antivirus Detections: Win.Malware.Jaik-9940406-0",
            "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
            "Yara Defections: ConventionEngine_Keyword_Install Alerts PlugX",
            "Alerts: PlugX cape_extracted_content",
            "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0",
            "IDS Detections: Win32/Tofsee.AX google.com connectivity check",
            "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
            "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
            "Antivirus Detections: Win.Malware.Shellstartup-9892532-0 ,  Ransom:Win32/LockScreen.BN",
            "Yara Detections: Zeppelin_24 ,  Zeppelin_30 ,  Delphi",
            "Alerts: procmem_yara persistence_autorun modify_proxy disables_power_options",
            "Alerts: infostealer_cookies infostealer_keylog recon_fingerprint suspicious_command_tools",
            "Ransom:Win32/LockScreen.BN"
          ],
          "public": 1,
          "adversary": "Brian Sabey| The Brothers Sabey",
          "targeted_countries": [
            "United States of America",
            "Finland",
            "France",
            "Spain",
            "Croatia",
            "United Kingdom of Great Britain and Northern Ireland",
            "Singapore"
          ],
          "malware_families": [
            {
              "id": "Win.Malware.Jaik-9940406-0",
              "display_name": "Win.Malware.Jaik-9940406-0",
              "target": null
            },
            {
              "id": "Win.Packer.pkr_ce1a-9980177-0",
              "display_name": "Win.Packer.pkr_ce1a-9980177-0",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Win.Malware.Shellstartup-9892532-0",
              "display_name": "Win.Malware.Shellstartup-9892532-0",
              "target": null
            },
            {
              "id": "Ransom:Win32/LockScreen.BN",
              "display_name": "Ransom:Win32/LockScreen.BN",
              "target": "/malware/Ransom:Win32/LockScreen.BN"
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [
            "Telecommunications",
            "Technology",
            "Media",
            "Civilian Society",
            "Advocacy"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 13,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 252,
            "URL": 562,
            "domain": 120,
            "FileHash-SHA256": 1915,
            "FileHash-MD5": 620,
            "FileHash-SHA1": 534,
            "email": 2,
            "SSLCertFingerprint": 5
          },
          "indicator_count": 4010,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 227,
          "modified_text": "625 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66b0fa3624bf0384e427f2e7",
          "name": "Tracking Domains 4.2 - 08.19.24",
          "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)",
          "modified": "2024-09-04T15:01:01.432000",
          "created": "2024-08-05T16:13:42.563000",
          "tags": [],
          "references": [
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
            "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
            "https://viz.greynoise.io/query/AS4611",
            "https://urlscan.io/asn/AS4611",
            "https://urlscan.io/search/#asn:%22AS4611%22",
            "https://urlscan.io/asn/AS45090",
            "https://urlscan.io/search/#asn%3A%22AS45090%22",
            "https://viz.greynoise.io/query/AS45090",
            "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
            "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
            "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
            "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 6180,
            "FileHash-MD5": 1,
            "domain": 24921,
            "URL": 10854
          },
          "indicator_count": 41956,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 140,
          "modified_text": "636 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b1f33258a8e26033b17",
          "name": "Tracking Domains - Part 4.1",
          "description": "More Tracking Domains",
          "modified": "2024-08-30T13:02:28.335000",
          "created": "2024-04-22T17:15:11.398000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
            "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 94496,
            "FileHash-MD5": 63,
            "domain": 112327,
            "URL": 166918,
            "FileHash-SHA1": 33,
            "FileHash-SHA256": 103,
            "CIDR": 216
          },
          "indicator_count": 374156,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "641 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b204ecfba63974dc1d8",
          "name": "Tracking Domains - Part 4",
          "description": "More Tracking Domains",
          "modified": "2024-05-22T17:04:45.215000",
          "created": "2024-04-22T17:15:12.353000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 792,
            "FileHash-MD5": 1,
            "domain": 5803,
            "URL": 2
          },
          "indicator_count": 6598,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 136,
          "modified_text": "741 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64ac688725adf28284e2efe9",
          "name": "\"No Problems\": Investigation of Distribution Vectors and Threat Network Infrastructure",
          "description": "Investigation of Distribution Vectors and Threat Network Infrastructure\n\nAn analysis of Malware Distribution and Threats stemming from an Internal Breach at the University of Alberta. Retrospective & 'In-Progress' tracking, identification, and characterization among affected individuals/organizations, services, and platforms.\n\nJust your average student looking for a solution to help identify or 'link together' some on-going issue(s) with a few things(? - [insert noun] ) and/or also fixing things & 'learning-on-the-fly' - which all definitely 'have everything to do with my education and skillset' [insert bitterness & sarcasm].\n\nApparently meeting the academic standards for implementing and enforcing a 'secure environment' and protecting students relies on: 1) The innovative approach of a 'remote Google-Meet teardown' of everything but your devices, data, or software issues and 2) The 'Holistic Model' of \"we don't do 'in-person' technical support\" because \"we are un-hackable\".",
          "modified": "2024-03-11T07:12:06.930000",
          "created": "2023-07-10T20:22:31.492000",
          "tags": [],
          "references": [
            "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
            "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
            "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
            "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Netherlands",
            "Mexico",
            "United States of America",
            "Aruba",
            "Panama",
            "Canada",
            "Anguilla"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Government",
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 75,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 467,
            "domain": 767,
            "hostname": 402,
            "URL": 142,
            "CVE": 1,
            "email": 1
          },
          "indicator_count": 1929,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 134,
          "modified_text": "813 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6562908e28e6cdc237fbf8db",
          "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
          "description": "",
          "modified": "2023-12-26T00:03:03.925000",
          "created": "2023-11-26T00:25:50.529000",
          "tags": [
            "ssl certificate",
            "contacted",
            "threat roundup",
            "whois record",
            "communicating",
            "subdomains",
            "resolutions",
            "june",
            "july",
            "october",
            "august",
            "noname057",
            "generic malware",
            "ice fog",
            "tag count",
            "thu nov",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "first",
            "generic",
            "detection list",
            "blacklist http",
            "cisco umbrella",
            "site",
            "heur",
            "alexa top",
            "safe site",
            "million",
            "malware",
            "alexa",
            "malware site",
            "malicious site",
            "unsafe",
            "artemis",
            "fakealert",
            "exploit",
            "opencandy",
            "riskware",
            "genkryptik",
            "iframe",
            "tiggre",
            "presenoker",
            "agent",
            "conduit",
            "wacatac",
            "phishing",
            "redline stealer",
            "dropper",
            "cobalt strike",
            "acint",
            "nircmd",
            "swrort",
            "downldr",
            "systweak",
            "behav",
            "crack",
            "filetour",
            "cleaner",
            "installpack",
            "xrat",
            "fusioncore",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "blacknet rat",
            "stealer",
            "maltiverse",
            "webtoolbar",
            "trojanspy",
            "united",
            "engineering",
            "cyber threat",
            "phishing site",
            "america",
            "emotet",
            "zbot",
            "malicious",
            "steam",
            "team",
            "indonesia",
            "miner",
            "ransomware",
            "ramnit",
            "pe resource",
            "historical ssl",
            "execution",
            "hacktool",
            "metasploit",
            "relic",
            "monitoring",
            "android",
            "skynet",
            "et",
            "anonymizer",
            "trojanx",
            "back",
            "laplasclipper",
            "win64",
            "trojan",
            "ghost rat",
            "suppobox",
            "asyncrat",
            "union",
            "samples",
            "blacklist",
            "malicious url",
            "hostname",
            "hostnames",
            "tsara brashears",
            "reinsurance",
            "pinnacol insurance",
            "industry and commerce",
            "state",
            "danger",
            "warning",
            "nr-data.net",
            "apple",
            "data.net",
            "asp.net",
            "domains",
            "hashes",
            "reverse dns",
            "general full",
            "resource",
            "software",
            "asn15169",
            "google",
            "url http",
            "server",
            "hash",
            "get h2",
            "main",
            "cookie",
            "thu dec",
            "germany",
            "frankfurt",
            "netherlands",
            "asn20446",
            "highwinds3",
            "page url",
            "search live",
            "api blog",
            "docs pricing",
            "tags",
            "november",
            "us summary",
            "http",
            "google safe",
            "browsing",
            "adware",
            "xtrat",
            "firehol",
            "microsoft",
            "control server",
            "services",
            "msil",
            "hiloti",
            "asn16509",
            "amazon02",
            "fastly",
            "asn54113",
            "prague",
            "login",
            "listen live",
            "centura health",
            "colorado jobs",
            "eeo public",
            "filing url",
            "blacklist https",
            "mimikatz",
            "beach research",
            "de indicators",
            "copyright",
            "gmbh version",
            "follow",
            "softcnapp",
            "philadelphia",
            "gamehack",
            "value",
            "line",
            "variables",
            "nreum",
            "postrelease",
            "url https",
            "security tls",
            "protocol h2",
            "name value",
            "scam",
            "gesponsert url",
            "outputldjh",
            "oid2",
            "uhis2",
            "uh1200",
            "uw1600",
            "uah1200",
            "uaw1600",
            "ucd24",
            "usd1",
            "utz60",
            "no data",
            "coinminer",
            "ip address",
            "exchange",
            "http attacker",
            "states",
            "jimburkedentistry",
            "leder-family",
            "adam lee",
            "erika lee",
            "malvertizing"
          ],
          "references": [
            "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
            "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
            "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
            "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
            "http://tracks.theleders.family",
            "photos.theleders.family",
            "http://45.159.189.105/bot/regex      (tracks Tsara Brashears)",
            "45.159.189.105                   (CNC IP \u2022 Tracking Tsara Brashears)",
            "http://mobtrack.trkclk.net",
            "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "nr-data.net",
            "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
            "103.233.208.9                    (CNC IP)",
            "apex.jquery.com             (scammer | works for who?)",
            "api.useragentswitch.com",
            "bam-cell.nr-data.net        (Apple Private Data Collection | since found, result continuously modified)",
            "dns.google                          (DNS client services - Doug Cole)",
            "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
            "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
            "apple-dns.net",
            "emails.redvue.com  (apple DNS w/amvima)",
            "142.250.180.4 (init.ess)",
            "init.ess.apple.com   (Highly malicious. Will infiltrate devices when exploited. Spyware)",
            "freeimdatingsites.thomasdobo.eu",
            "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
            "https://urlscan.io/domain/maxwam.tk",
            "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Generic",
              "display_name": "Generic",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Beach Research",
              "display_name": "Beach Research",
              "target": null
            },
            {
              "id": "GameHack",
              "display_name": "GameHack",
              "target": null
            },
            {
              "id": "States",
              "display_name": "States",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1123",
              "name": "Audio Capture",
              "display_name": "T1123 - Audio Capture"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 83,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1956,
            "FileHash-SHA1": 867,
            "FileHash-SHA256": 3751,
            "URL": 10878,
            "domain": 2914,
            "hostname": 3520,
            "CVE": 16
          },
          "indicator_count": 23902,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 222,
          "modified_text": "890 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "656aafce24b001cba328dcbc",
          "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
          "description": "",
          "modified": "2023-12-26T00:03:03.925000",
          "created": "2023-12-02T04:17:18.188000",
          "tags": [
            "ssl certificate",
            "contacted",
            "threat roundup",
            "whois record",
            "communicating",
            "subdomains",
            "resolutions",
            "june",
            "july",
            "october",
            "august",
            "noname057",
            "generic malware",
            "ice fog",
            "tag count",
            "thu nov",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "first",
            "generic",
            "detection list",
            "blacklist http",
            "cisco umbrella",
            "site",
            "heur",
            "alexa top",
            "safe site",
            "million",
            "malware",
            "alexa",
            "malware site",
            "malicious site",
            "unsafe",
            "artemis",
            "fakealert",
            "exploit",
            "opencandy",
            "riskware",
            "genkryptik",
            "iframe",
            "tiggre",
            "presenoker",
            "agent",
            "conduit",
            "wacatac",
            "phishing",
            "redline stealer",
            "dropper",
            "cobalt strike",
            "acint",
            "nircmd",
            "swrort",
            "downldr",
            "systweak",
            "behav",
            "crack",
            "filetour",
            "cleaner",
            "installpack",
            "xrat",
            "fusioncore",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "blacknet rat",
            "stealer",
            "maltiverse",
            "webtoolbar",
            "trojanspy",
            "united",
            "engineering",
            "cyber threat",
            "phishing site",
            "america",
            "emotet",
            "zbot",
            "malicious",
            "steam",
            "team",
            "indonesia",
            "miner",
            "ransomware",
            "ramnit",
            "pe resource",
            "historical ssl",
            "execution",
            "hacktool",
            "metasploit",
            "relic",
            "monitoring",
            "android",
            "skynet",
            "et",
            "anonymizer",
            "trojanx",
            "back",
            "laplasclipper",
            "win64",
            "trojan",
            "ghost rat",
            "suppobox",
            "asyncrat",
            "union",
            "samples",
            "blacklist",
            "malicious url",
            "hostname",
            "hostnames",
            "tsara brashears",
            "reinsurance",
            "pinnacol insurance",
            "industry and commerce",
            "state",
            "danger",
            "warning",
            "nr-data.net",
            "apple",
            "data.net",
            "asp.net",
            "domains",
            "hashes",
            "reverse dns",
            "general full",
            "resource",
            "software",
            "asn15169",
            "google",
            "url http",
            "server",
            "hash",
            "get h2",
            "main",
            "cookie",
            "thu dec",
            "germany",
            "frankfurt",
            "netherlands",
            "asn20446",
            "highwinds3",
            "page url",
            "search live",
            "api blog",
            "docs pricing",
            "tags",
            "november",
            "us summary",
            "http",
            "google safe",
            "browsing",
            "adware",
            "xtrat",
            "firehol",
            "microsoft",
            "control server",
            "services",
            "msil",
            "hiloti",
            "asn16509",
            "amazon02",
            "fastly",
            "asn54113",
            "prague",
            "login",
            "listen live",
            "centura health",
            "colorado jobs",
            "eeo public",
            "filing url",
            "blacklist https",
            "mimikatz",
            "beach research",
            "de indicators",
            "copyright",
            "gmbh version",
            "follow",
            "softcnapp",
            "philadelphia",
            "gamehack",
            "value",
            "line",
            "variables",
            "nreum",
            "postrelease",
            "url https",
            "security tls",
            "protocol h2",
            "name value",
            "scam",
            "gesponsert url",
            "outputldjh",
            "oid2",
            "uhis2",
            "uh1200",
            "uw1600",
            "uah1200",
            "uaw1600",
            "ucd24",
            "usd1",
            "utz60",
            "no data",
            "coinminer",
            "ip address",
            "exchange",
            "http attacker",
            "states",
            "jimburkedentistry",
            "leder-family",
            "adam lee",
            "erika lee",
            "malvertizing"
          ],
          "references": [
            "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
            "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
            "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
            "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
            "http://tracks.theleders.family",
            "photos.theleders.family",
            "http://45.159.189.105/bot/regex      (tracks Tsara Brashears)",
            "45.159.189.105                   (CNC IP \u2022 Tracking Tsara Brashears)",
            "http://mobtrack.trkclk.net",
            "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "nr-data.net",
            "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
            "103.233.208.9                    (CNC IP)",
            "apex.jquery.com             (scammer | works for who?)",
            "api.useragentswitch.com",
            "bam-cell.nr-data.net        (Apple Private Data Collection | since found, result continuously modified)",
            "dns.google                          (DNS client services - Doug Cole)",
            "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
            "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
            "apple-dns.net",
            "emails.redvue.com  (apple DNS w/amvima)",
            "142.250.180.4 (init.ess)",
            "init.ess.apple.com   (Highly malicious. Will infiltrate devices when exploited. Spyware)",
            "freeimdatingsites.thomasdobo.eu",
            "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
            "https://urlscan.io/domain/maxwam.tk",
            "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Generic",
              "display_name": "Generic",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Beach Research",
              "display_name": "Beach Research",
              "target": null
            },
            {
              "id": "GameHack",
              "display_name": "GameHack",
              "target": null
            },
            {
              "id": "States",
              "display_name": "States",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1123",
              "name": "Audio Capture",
              "display_name": "T1123 - Audio Capture"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6562908e28e6cdc237fbf8db",
          "export_count": 78,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1956,
            "FileHash-SHA1": 867,
            "FileHash-SHA256": 3751,
            "URL": 10878,
            "domain": 2914,
            "hostname": 3520,
            "CVE": 16
          },
          "indicator_count": 23902,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 229,
          "modified_text": "890 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65708d52d6ca2270db4e1a55",
          "name": "json ios 15.4.1 Privacy app data 4-5-2022",
          "description": "",
          "modified": "2023-12-06T15:03:46.291000",
          "created": "2023-12-06T15:03:46.291000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 1,
            "FileHash-SHA256": 557,
            "hostname": 302,
            "domain": 54,
            "URL": 310
          },
          "indicator_count": 1224,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 109,
          "modified_text": "909 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65708bdef430e1a00b884a89",
          "name": "all that json file from twitter app data = this wtf",
          "description": "",
          "modified": "2023-12-06T14:57:34.504000",
          "created": "2023-12-06T14:57:34.504000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 4811,
            "hostname": 998,
            "domain": 233,
            "URL": 433,
            "FileHash-MD5": 16
          },
          "indicator_count": 6491,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 111,
          "modified_text": "909 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65708a78e8b64037edbd6a88",
          "name": "json iPhone app data 30-3-2022 2/3",
          "description": "",
          "modified": "2023-12-06T14:51:36.819000",
          "created": "2023-12-06T14:51:36.819000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 1,
            "FileHash-SHA256": 5234,
            "hostname": 1530,
            "domain": 306,
            "URL": 1478,
            "FileHash-MD5": 46
          },
          "indicator_count": 8595,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "909 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65708a730765663247bf0c34",
          "name": "my iphone app data json file 31-3-2022 3/3",
          "description": "",
          "modified": "2023-12-06T14:51:31.643000",
          "created": "2023-12-06T14:51:31.643000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 1,
            "FileHash-SHA256": 2636,
            "hostname": 657,
            "domain": 126,
            "URL": 277,
            "FileHash-MD5": 1
          },
          "indicator_count": 3698,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 109,
          "modified_text": "909 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65708191cdba4e9f07ba1f93",
          "name": "mail.ru:%22,",
          "description": "",
          "modified": "2023-12-06T14:13:36.976000",
          "created": "2023-12-06T14:13:36.976000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2753,
            "hostname": 1341,
            "domain": 447,
            "URL": 3301,
            "CIDR": 65,
            "FileHash-MD5": 112,
            "FileHash-SHA1": 2
          },
          "indicator_count": 8021,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "909 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "653f152513c2dcc0f4e3406e",
          "name": "Threat Network Root & Distribution Vectors Probe",
          "description": "",
          "modified": "2023-10-30T02:29:57.489000",
          "created": "2023-10-30T02:29:57.489000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "65133d6945641812c2ccc6ee",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "947 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "653f1524792f3064843d826f",
          "name": "Threat Network Root & Distribution Vectors Probe",
          "description": "",
          "modified": "2023-10-30T02:29:56.006000",
          "created": "2023-10-30T02:29:56.006000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "65133d6945641812c2ccc6ee",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "947 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "650fda65975555b2dabc023e",
          "name": "Threat Network Root  & Distribution Vectors Probe ( disabe_duck curated pulse) ",
          "description": "",
          "modified": "2023-09-27T21:01:26.901000",
          "created": "2023-09-24T06:42:45.462000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "64ed117e2308a042e50e1e9e",
          "export_count": 31,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "979 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65133d6945641812c2ccc6ee",
          "name": "Threat Network Root & Distribution Vectors Probe",
          "description": "",
          "modified": "2023-09-27T21:01:26.901000",
          "created": "2023-09-26T20:22:01.290000",
          "tags": [
            "Domains",
            "ip addresses",
            "URLs",
            "Files",
            "Alberta Health Services",
            "BEC",
            "Education",
            "University of Alberta",
            "Government of Alberta",
            "Covenant Health Alberta",
            "Telus Communications",
            "Canadian Universities",
            "Malicious Certificates",
            "Digital Identity Theft / Credential Theft"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
            "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
            "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
            "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
            "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
            "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
            "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
            "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
            "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
            "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
            "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary"
          ],
          "public": 1,
          "adversary": "Unknown APT Group(s) / Threat Actor (s)",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Philippines",
            "Panama",
            "Netherlands",
            "Anguilla",
            "Saint Vincent and the Grenadines",
            "Aruba",
            "Mexico",
            "Guatemala",
            "Costa Rica",
            "Tanzania, United Republic of"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": "650fda65975555b2dabc023e",
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 230,
            "FileHash-SHA1": 139,
            "FileHash-SHA256": 1197,
            "URL": 9276,
            "CIDR": 16,
            "domain": 7895,
            "email": 2,
            "hostname": 1965
          },
          "indicator_count": 20720,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 234,
          "modified_text": "979 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64e6d1d8a39e9bf68a0eb83d",
          "name": "Threat Network Investigation ",
          "description": "",
          "modified": "2023-08-24T03:43:20.121000",
          "created": "2023-08-24T03:43:20.121000",
          "tags": [],
          "references": [
            "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
            "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
            "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
            "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Netherlands",
            "Mexico",
            "United States of America",
            "Aruba",
            "Panama",
            "Canada",
            "Anguilla"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Government",
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": "64ac688725adf28284e2efe9",
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 75,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 467,
            "domain": 762,
            "hostname": 269,
            "URL": 139
          },
          "indicator_count": 1786,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 220,
          "modified_text": "1013 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6431200f49228074de68009b",
          "name": "v4 - and a bit more yad2-js.nagich.co.il",
          "description": "",
          "modified": "2023-05-08T07:02:10.558000",
          "created": "2023-04-08T08:04:31.708000",
          "tags": [
            "ansi",
            "pcap processing",
            "pcap frame",
            "pcap",
            "united",
            "unicode",
            "date",
            "threat level",
            "hash seen",
            "suspicious",
            "qakbot",
            "yad2-js.nagich.co.il"
          ],
          "references": [
            "https://www.virustotal.com/graph/g9b4ed0fc63264fffaaaf48e3e15b5e8206c3a855780244ac96c17b388b99144b",
            "https://hybrid-analysis.com/sample/d0575e4cea70f4b5dc0b5195230f4cc7094348cc2816503743a491237c8dad33/6430ce66c0fcdd65900db340",
            "https://www.tiuli.com/special/19/%D7%98%D7%99%D7%95%D7%9C%D7%99-%D7%97%D7%91%D7%A8-%D7%94?video=Qrmt4JW6WpQ"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "callmeDoris",
            "id": "205385",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 561,
            "hostname": 146,
            "domain": 140,
            "FileHash-SHA256": 363,
            "email": 3,
            "FileHash-MD5": 102,
            "FileHash-SHA1": 99
          },
          "indicator_count": 1414,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 92,
          "modified_text": "1121 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "62731709b2a1bf59775b8f2b",
          "name": "json ios 15.4.1 Privacy app data 4-5-2022",
          "description": "without generics",
          "modified": "2022-06-04T00:03:57.626000",
          "created": "2022-05-05T00:15:04.994000",
          "tags": [
            "appinitiated",
            "google llc",
            "akamai",
            "new relic",
            "hubspot",
            "fastly",
            "stackpath",
            "twitter",
            "warnermedia",
            "facebook"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 557,
            "hostname": 302,
            "URL": 310,
            "domain": 54,
            "CVE": 1
          },
          "indicator_count": 1224,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 394,
          "modified_text": "1460 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6264b524008ccee1d221f967",
          "name": "statcounter nefarious ad and analytics in platform webapp delivered ads",
          "description": "",
          "modified": "2022-05-24T00:01:27.321000",
          "created": "2022-04-24T02:25:40.062000",
          "tags": [
            "associated urls",
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "section",
            "ansi",
            "threat level",
            "header",
            "messages",
            "surveymonkey",
            "chrome",
            "firefox",
            "safari",
            "microsoft",
            "date",
            "span",
            "path",
            "body",
            "accept",
            "explorer",
            "suspicious",
            "main",
            "hybrid",
            "close",
            "click",
            "hosts",
            "april",
            "malicious",
            "general",
            "local",
            "factory",
            "strings",
            "team",
            "february",
            "hybrid analysis",
            "input",
            "report",
            "falcon sandbox",
            "please note",
            "data protection",
            "policy",
            "https",
            "memoryfile scan",
            "windir",
            "openurl c",
            "urlhttps",
            "pmuid",
            "no expiration",
            "filehashsha256",
            "url http",
            "expiration"
          ],
          "references": [
            "https://onetag-sys.com/usync/?pubId=6b859b96c564fbe",
            "https://sync.richaudience.com/74889303289e27f327ad0c6de7be7264/?p=1BTOoaD22a&consentString=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&ccpa_",
            "https://ssbsync.smartadserver.com/api/sync?callerId=43&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA",
            "https://ads.pubmatic.com/AdServer/js/user_sync.html?p=159110&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&us_privacy=1---",
            "https://hybrid-analysis.com/sample/de66bd83860e9dc66969b28f3b93b36c07c5f9d9568f13b07f0e1928490d6945/62649e273fcef808fa4c2bbb",
            "https://hybrid-analysis.com/sample/9116e707b9da6b1047df9412e29b816726ba3aa6ebc91d77f7f47741ccb7b7bd/6264a22fa3836270e73495b3",
            "https://hybrid-analysis.com/sample/b3d7008253008166b2abeb2fcc642d9c5e354435f7cb83a681b3cba82840002e/62626a096a89191d343c4546",
            "usync.html"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 693,
            "hostname": 325,
            "domain": 205,
            "FileHash-SHA256": 148,
            "FileHash-MD5": 31,
            "CVE": 1,
            "FileHash-SHA1": 22,
            "email": 3
          },
          "indicator_count": 1428,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 395,
          "modified_text": "1471 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627608&Signature=nc6gUdC0NeDtHUOIT6P0pC0i9EKDBHTO%2BMbcwHvgjPzFPqDFGMq%2Fei9aUhg8ub9H4poa985bQO4xz1xEEOmGhEihgwKvDZ5u0QETkzbQJLxzzm5g9t%2Fx4iBeBHToQjDXdMrSu0ML%2FYBep0l%2F%2BkYortodmtnjHYhAEYOOLSZn4gSAWaPoq5vxXF9gtsRojKf9RIk5VuzDXFGY6BGsDKn2tch7nTJ3SmYKodEv4iWyVn4jp5g%2B4",
        "csh.cshrc",
        "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
        "https://urlscan.io/asn/AS4611",
        "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328",
        "group",
        "rmtab",
        "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
        "MultipeerConnectivity.h",
        "https://vtbehaviour.commondatastorage.googleapis.com/012f268838dbc4f0877ea47f272bcd5acdc15ac4584c3d3cddeae2f5107d09de_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629156&Signature=qIGYvmHwkDg5a1aWpPn%2FCFierOaHWS9Gyvi4Owjd4sJ7YytEl%2F5qxIIpo84v%2F7J%2BvxGYG9PrPDBHbH5jiJc2VOMkKroiRdzapAh%2FFwXVnVhn%2FCJ1eu6xMH2KJ6bs578zBbSbt6QJ2KPBU2E7RJQ5o%2FxLV93YjttPgspSTvjqiC1vCSwx78AdV7nt4xmxTCpqZB3OJuH%2ByROH7tWED9Qzq%2BVgwf7AmK9UrFuIKnmo07prAMKfo1k1",
        "zprofile",
        "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
        "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
        "103.233.208.9                    (CNC IP)",
        "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
        "battery.csv",
        "arm64e-apple-macos.swiftinterface",
        "MultipeerConnectivity.tbd",
        "paths",
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626394&Signature=mjMxHo8L7UrEZ%2B0mpGMaevi%2Fnyxg566NrZjoVPOa6T3Cbyv9SjUxWf%2BLTZqUG6wgBgPDMrC9WYvpluFNlA3a8CmS9FgO5Wk4ihVivuBtOPhisX8aQoky6AhLHqi%2FTU6pVryey1kfBt6MlRl0gEZ6OJtKADUb2hPUfxXN0b6zIDrBlBpDlzmi73JWdo%2BTl7HWhJzFk%2FDQy3DniCvgLRSPVSK0WPg%2BpvgzruUYB%2F5pkH20cP",
        "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9",
        "sipConfig.csv",
        "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "kern_loader.conf",
        "master.cf.proto",
        "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783",
        "locate.rc",
        "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark",
        "apex.jquery.com             (scammer | works for who?)",
        "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
        "shells",
        "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500",
        "newsyslog.conf",
        "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
        "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]",
        "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626418&Signature=TwvqChaO8lqc0vzwz%2BZ7W7IIwZZZt6%2FhJ4DzgyGjlwl%2Bev3Aj3iyAMtUxNhwGhTz10UGTbYuZcmLUPKLpQ81mgT%2B8axs57DfzVt1BoJTH5lWYK%2BOI8LDJGXD8tZ8DGKuNa6dHqqdQ9gDvuEpnhGfMmpJovXa%2B0drHScs%2BE%2FQKF%2BRTqOXjfSVxMdoqYnlB3zMc6AU2CYPv%2FE1mP06q5yCaRjgA0aIcnf7ADr9",
        "asl.conf",
        "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022  https://pickyhot.disqus.com/tsara-brashears",
        "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf",
        "interfaceAddrs.csv",
        "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886",
        "ftpusers",
        "rpc",
        "rc.common",
        "https://cdn.teslarati.com \u2022  https://forums.teslarati.com/",
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626474&Signature=kfjlpWuwZbaZbbP6fMcuay73HaFSKrqF520LJELy0GSL34yjKdsQSvLU8g4sBtj69rWQb6rJwENSsxoLQizFVcBSn04iqFQqS6VlgbQsMMJd57JpVb9gcQPuRc5iP37IN5crnnQjwWgIDQAxcMFVgX8L2SW2Eji5xGKVeIoJ6MJFYKxoyfiZD3779nqt8YvoaK1E4DWe5%2F9TzZWks0%2BaP5dwYHpoPnvYsj4k0X61JFQChNE5cZcNNbUH8i",
        "ntp_opendirectory.conf",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626915&Signature=A8EIjrcllVER4J%2FPzV2FRPV1NC%2FPha6J1APjMga6WlTRSe%2By092MDDTg4tF9ILYLxQtuQgmgwx93nasQfll6ffrd12FvlAsin2zj4vtdTT4AcIXmxJcKO0d%2FoLnozrBzi1R36TlEknCbXkqQPX%2BdvF%2BwroU1F61f6IOtIfgIK2uxK0KIG5I41N7fQcNOUNIwHoCvfAlSb2OqY1V4ESvWxMJ4MjdBn%2F%2B%2FUAOfpOh%2B7c",
        "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53",
        "version.plist",
        "relocated",
        "disk_structure.txt",
        "afpovertcp.cfg",
        "AppleFirmwareUpdate.tbd",
        "Alerts: PlugX cape_extracted_content",
        "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark",
        "photos.theleders.family",
        "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
        "https://hybrid-analysis.com/sample/de66bd83860e9dc66969b28f3b93b36c07c5f9d9568f13b07f0e1928490d6945/62649e273fcef808fa4c2bbb",
        "x86_64-apple-macos.swiftinterface",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602",
        "nfs.conf",
        "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188",
        "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am",
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628363&Signature=dlMT8ox9JTkziQZLJ6FL%2BRBc%2Fz%2BeAIvgi4qr%2FO3pMT9vAKLgbGFgQum2bJ74s07XpftMHPBj1fCgNY5xK7EIouHXhmpyiD%2B5zsfcKaNckOkNoIo6A9%2FfM6g42hN5djOg3pDclOqwj0ECuBWrtZXqZcrc5nv%2BU51qwqs6AAkIaiZWOX341r7RHPc49dpGRK0DG1XQDRGxacXm5erHEQmAAO8I8yR%2FzKT%2BZ6EJK6xC99uC",
        "https://ssbsync.smartadserver.com/api/sync?callerId=43&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA",
        "https://vtbehaviour.commondatastorage.googleapis.com/aa2691bc8ec9abf5359396a356551d1e2de12c9c5035c259650650ced6607c6f_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628175&Signature=C%2Bm0zPP%2FHfqcIuof%2F2O%2F0UbWPaY37tDrVB%2FZMr2M9H%2BjPTiynLMHNyn5vNT97ndboi7U21mT93t30I4UMIqdICdXtc%2BlGG7rYgE2ruFbI6U%2BBxHCmlKEUYh1FZY%2BPsskjCqojS2K4I1w%2BfsLyUwkpsGHzh92WF%2B5h5FbNY5PySi2Fd3B4ns1okQyrU6i%2F0PdPGs%2BjnHvLfdB%2Bx%2FOjTJPOcKqkwk",
        "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs",
        "bind.html",
        "https://urlscan.io/domain/maxwam.tk",
        "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx",
        "Antivirus Detections: Win.Malware.Jaik-9940406-0",
        "MCError.h",
        "user_launchagents.txt",
        "AOSKit.tbd",
        "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs",
        "Alerts: procmem_yara persistence_autorun modify_proxy disables_power_options",
        "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |",
        "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
        "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs",
        "canonical",
        "process_list.txt",
        "profile",
        "caching.html",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
        "https://www.tiuli.com/special/19/%D7%98%D7%99%D7%95%D7%9C%D7%99-%D7%97%D7%91%D7%A8-%D7%94?video=Qrmt4JW6WpQ",
        "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes",
        "postfix-files",
        "init.ess.apple.com   (Highly malicious. Will infiltrate devices when exploited. Spyware)",
        "header_checks",
        "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
        "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
        "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\",
        "users.csv",
        "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .",
        "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)",
        "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark",
        "diskEncryption.csv",
        "auto_master",
        "MCAdvertiserAssistant.h",
        "https://www.teslarati.com/",
        "access",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d4dd113c9924d71398d9db20e2fcf347cad29c3d3bdc9612a44dfd47c1971aa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627160&Signature=K5%2FGwGNRKy0XCvva8zcyKHnsarNPNRQXXQI%2FV%2B1Susn9nmU9j%2Fm1SKT0f3LpBrVV5dyaLLy%2FYMPBmGKun3XY4WEmEl0KQkg17reIGCcLSeFbgDwpUm2DyN3ENt5d%2BkePCG6FvM5jUx7Cpf1ZTyw0PYePphEx1shaRArarvvSWz1kosuQhe%2BZ8tBYqt1c35e7%2BjQrwmLeZ489ungWsKJvhuXHetKJVJVEhY%2FLb3%2FBgTDodLwx3l",
        "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
        "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
        "ldap.h",
        "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c",
        "csh.logout",
        "sudo_lecture",
        "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627259&Signature=LB8UpSFAWpkptxq2TpSlVUjgaYsD8ZVxTie7HZDfh0FJ9h5o0dlAfn3fQ2KoL66TnUg2S0MIsEXMxl5O%2BL%2FFPweNRNyFyFK8M4aHPEHTZZlcAopz6ofdP7b0rYACYLl%2BH51rdDSCCDGVFB2AxZXaz54b748ZJBd0lCSxvueW2MVVLJcFl5w4hcNIIwnXuHCQD02rsYzffmjBIO6CC1hPulQwohf%2FTZKDK5iuOAhPoVWWswdroV2A7M6M6PUg9g",
        "mounts.csv",
        "resolv.conf",
        "https://www.google.com/search?q=tsara+brashears&prmd=vni&source=lnms&tbm=vid&sa=X&ved=2ahUKEwimqvSyxKrpAhUHTt8KHReZC7wQ_AUoAXoECAsQAQ&biw=375&bih=544&dpr=3/Malicious-Google-Search-Results-False",
        "dns.google                          (DNS client services - Doug Cole)",
        "MCNearbyServiceAdvertiser.h",
        "networks",
        "chromeExtensions.csv",
        "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
        "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1",
        "http://tracks.theleders.family",
        "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected:  Redirect Types: Delayed Redirect  Redirects to: /doodles/  Suspicious",
        "blog.manpowergroup.com.py (aww like dadvocates)",
        "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376",
        "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628069&Signature=Tqx0WDIqoieH9yCo18tkPUdcYvTU0l0vEGnEzncxScNgePm2%2Bm5dMzcVkPb2dN4j43pL0c6xFpyqUmgcAaV4yJd1bWnukU%2FSoTPxrfzwEEPlXeMoapx9eeELYqF6WZWyor0m%2F4qv%2FuaYFkLWO2D8iOkqIiaNQBvu6nVuNBM3I%2FkrnXhWRxt3C8KQlAF%2Fo3ft05L0QBoJH6mQquOx2C777xrO6tjr31CGKjIMIAih66ud8Oskb57I%2B6zt",
        "configuring.html",
        "Driver_xst.h",
        "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark",
        "AirPlayReceiver.tbd",
        "https://viz.greynoise.io/query/AS4611",
        "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/",
        "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/",
        "d1.cnbd.net  localhost.cnbd.net  mail.cnbd.net",
        "All #tags auto populated.",
        "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "makedefs.out",
        "142.250.180.4 (init.ess)",
        "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "gettytab",
        "dbi_sql.h",
        "https://vtbehaviour.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628967&Signature=cw9IN04sKdFEDdQTLeqNWDt35Spbg0yI2vZFSrsk%2FJ6%2BD%2BRC5pt7QZKTQlutBh8zpYG9b4%2F7TjCFxf5jo1s6uYpiVA8s%2F5c5ZVy2Ia387UGrip6kYJ9s2cfp%2BgQ1o2RHEQRhukeRqR6uQpb87IVhWb1VjeABoOqT%2Buy%2BeXUckwOcInk8tcs9wCI1xhRe3raMJ1EC1gIdXCGzMqLU%2F874cclP6LWAUiQ08FPQe8VZtob",
        "launchagents.txt",
        "https://hybrid-analysis.com/sample/b3d7008253008166b2abeb2fcc642d9c5e354435f7cb83a681b3cba82840002e/62626a096a89191d343c4546",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
        "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs",
        "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark",
        "https://hybrid-analysis.com/sample/d0575e4cea70f4b5dc0b5195230f4cc7094348cc2816503743a491237c8dad33/6430ce66c0fcdd65900db340",
        "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/",
        "kernel.csv",
        "preboot_archive_errors.log",
        "certificates.csv",
        "smb.conf",
        "BUILDING",
        "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true",
        "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984",
        "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2",
        "transport",
        "http://mobtrack.trkclk.net",
        "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler",
        "main.cf.proto",
        "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551",
        "https://otx.alienvault.com/indicator/url/http://manage.netflix.com.usermanagement.key.1973573.net-server1.com",
        "Ransom:Win32/LockScreen.BN",
        "https://vtcuckoo.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629192&Signature=gnfHVeS3e3cryOoChL6czgBUI9mEJwFk8OZ22bAN4U7V1r1yCjBq7i3y7Sarv1O34zp2Yabguk5BQI4cgnZ64Dj1uLdrx9dUaYo%2FzBoITjzCiJ7djJCvB0alIiIw%2Bok%2BqRGGtIFbrfS61QNeDiXmFpeD1d%2F1lGe8ZoBd0nLLqtP5xdbRALcJbrvbCeln9nFuu199svtMraGxafiWFWiEC4GRx1BmdMZYVqC%2B%2FukhirOXs7MyPd6i1%2FsSjSWfGa8ss4pgIMD",
        "usbDevices.csv",
        "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev",
        "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f",
        "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
        "https://sync.richaudience.com/74889303289e27f327ad0c6de7be7264/?p=1BTOoaD22a&consentString=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&ccpa_",
        "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/",
        "Admin.tbd",
        "https://urlscan.io/search/#asn%3A%22AS45090%22",
        "generic",
        "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
        "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/",
        "dbixs_rev.h",
        "Yara Defections: ConventionEngine_Keyword_Install Alerts PlugX",
        "apple-dns.net",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
        "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger/",
        "usync.html",
        "https://onetag-sys.com/usync/?pubId=6b859b96c564fbe",
        "zshrc",
        "protocols",
        "https://www.teslarati.com/spacex",
        "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs",
        "bounce.cf.default",
        "main.cf.default",
        "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7",
        "emails.redvue.com  (apple DNS w/amvima)",
        "freeimdatingsites.thomasdobo.eu",
        "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/",
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE",
        "https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears",
        "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary",
        "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/",
        "main.cf",
        "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs",
        "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a",
        "https://urlscan.io/search/#asn:%22AS4611%22",
        "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary",
        "DBIXS.h",
        "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
        "applications.csv",
        "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/",
        "bam-cell.nr-data.net        (Apple Private Data Collection | since found, result continuously modified)",
        "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0",
        "x86_64-apple-ios-macabi.swiftinterface",
        "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True",
        "https://urlscan.io/asn/AS45090",
        "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c",
        "etcHosts.csv",
        "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
        "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/",
        "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
        "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
        "com.apple.screensharing.agent.launchd",
        "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers",
        "https://ads.pubmatic.com/AdServer/js/user_sync.html?p=159110&gdpr=1&gdpr_consent=CPX4AJgPX4AJgDlBEAENCMCsAP_AAH_AACiQIsNf_X__b3_n-_7___t0eY1f9_7__-0zjhfdt-8N3f_X_L8X_2M7vF36tr4KuR4ku3bBIQdtHOncTUmx6olVrzPsbk2cr7NKJ7Pkmnsbe2dYGH9_n93T_ZKZ7______7________________________-_____9____________________________8EWACTDUvIAuxLHBk2jSKFECMKwkOoFABRQDC0RWEDq4KdlcBPqCFgAgFQEYEQIMQUYMAgAEAgCQiICQA8EAiAIgEAAIAFQCEABGwCCwAsDAIABQDQsQIoAhAkIMigiOUwICJEooJ7KxBKDvY0whDrLACgUf0VCAiUAIFgZCQsHMcASAlwskCzFC-QAjAAAA&us_privacy=1---",
        "https://viz.greynoise.io/query/AS45090",
        "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
        "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs",
        "interfaceDetails.csv",
        "MultipeerConnectivity.apinotes",
        "index.html.en",
        "hook_op_check.h",
        "Info.plist",
        "sharedFolders.csv",
        "bashrc",
        "LDAP.tbd",
        "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
        "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
        "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared",
        "module.modulemap",
        "Detected Non-Google domain serving Google homepage details",
        "arm64e-apple-ios-macabi.swiftinterface",
        "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189",
        "https://www.virustotal.com/graph/g9b4ed0fc63264fffaaaf48e3e15b5e8206c3a855780244ac96c17b388b99144b",
        "security_status.txt",
        "https://hybrid-analysis.com/sample/9116e707b9da6b1047df9412e29b816726ba3aa6ebc91d77f7f47741ccb7b7bd/6264a22fa3836270e73495b3",
        "TLS_LICENSE",
        "https://vtbehaviour.commondatastorage.googleapis.com/faa6f8935bf337bb6f98bfe73e3b74f6e785da6929775e6bacbbd20d90ecf2c3_SNDBOX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627494&Signature=lBb52t94Lck4SSu4FORagQFNGojj5%2Bi7JRPlb68HqacyPusyn33LTlV%2F72P5M52r2EZ8ylUROPiRnCRBg0ry%2B2D1ctl1uWtP%2F1HDdBpnbxxUtkcM97MGzmUbIfTSOAsXsbB3f4Y6ZOIM%2BLYzCo%2BxwRmun4K%2Bo8K3mYHMatcF3mBtKcBPnP7WM5%2FHTz3XqJGMH9TCDIfe7j%2F3SAnx7X0tt0BgUcwPe4OkmHkUutihMBfek2MBp%2B",
        "ttys",
        "Yara Detections: Zeppelin_24 ,  Zeppelin_30 ,  Delphi",
        "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f",
        "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8",
        "irbrc",
        "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9",
        "ntp.conf",
        "man.conf",
        "csh.login",
        "https://n0paste.eu/UH6n5pD/",
        "Alerts: infostealer_cookies infostealer_keylog recon_fingerprint suspicious_command_tools",
        "Source :  Binary File  ATT&CK ID T1566.002",
        "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs",
        "passwd",
        "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac",
        "rc.netboot",
        "apfs_boot_mount.tbd",
        "MCBrowserViewController.h",
        "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57",
        "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352",
        "nr-data.net",
        "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb",
        "LICENSE",
        "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
        "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.",
        "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
        "mounts.txt",
        "auto_home",
        "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
        "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
        "master.cf",
        "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5",
        "IDS Detections: Win32/Tofsee.AX google.com connectivity check",
        "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7",
        "xtab",
        "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd",
        "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
        "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305",
        "https://vtbehaviour.commondatastorage.googleapis.com/008a6413800ef811244f0807e0943df22ba724ed674c03bfc5b57d820c27a632_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779493221&Signature=K7tHlM4p%2FfG1TSV%2FfZASKdmBWp3Se3XBQN%2Fa14YDnlL0ZljOfWTPQ9t%2Bd2aP5K7YN8vKmT4RJJhl7HH4LqZQMp8GIbPe5r%2BM2C1L86LMrE41%2BkG%2Ff1kcZsSCFPfosyqdsDy8WxtnzsLYBOZXWqnqwDaIMQTY03ypckO20Z4rHEcTZV6YKBDggWJQaRNhggjm6jAVXSTzJY9dX0l5Ihm4Qn%2F1hmi80T4VkqsWvPH%2B5dGv",
        "syslog.conf",
        "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a",
        "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e",
        "dbivport.h",
        "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/",
        "command_args.json",
        "master.cf.default",
        "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c",
        "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/",
        "virtual",
        "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.",
        "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627300&Signature=ZqM8a%2BUX0F1D8t51nlp1%2BcYFN0ozRLI92p85KFn1f3Aey19YDGw%2BAAEbxD1JMvi%2BsMRGGfYTPACg4h9DM0VFKT8yq4FOOqED%2FO17EAyZrz6YSyQcMMnozviy%2B%2FdpS0Sqd8sas9FdpgcUAS%2FzEEcqa%2FsQVtkpv2rp9BZLKqvbpquNXBlA9rnKzvbtNwEP7meNDc%2FXDspVqf%2Frb9bWY8uHq7hJl6pMWknVtV",
        "MCNearbyServiceBrowser.h",
        "pf.conf",
        "bashrc_Apple_Terminal",
        "lber.h",
        "sharingPreferences.csv",
        "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark",
        "zshrc_Apple_Terminal",
        "crashes.csv",
        "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark",
        "systemInfo.csv",
        "mail.rc",
        "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light",
        "manpaths",
        "systemControls.csv",
        "kexts.txt",
        "CodeResources",
        "custom_header_checks",
        "45.159.189.105                   (CNC IP \u2022 Tracking Tsara Brashears)",
        "sudoers",
        "api.useragentswitch.com",
        "Antivirus Detections: Win.Malware.Shellstartup-9892532-0 ,  Ransom:Win32/LockScreen.BN",
        "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark",
        "https://vtbehaviour.commondatastorage.googleapis.com/0c5a10f10eb29b8251a5dfe15fa74f7e25c281b4f9be7c87839a9ae3d34dfe6d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627783&Signature=FHIZFXnHZsAaWvZbG2O1vXTFfRz6BqTP8ikzyyXMpZ4VG6WEVnK3yHhhrnLfoLQqUCUgXvWOb1ThHRM6WXJGEx4jLnKM%2Fp6YkHmVEj1nFXBd%2BQ0IPGVwZRJfZcttoBFwmLwJ%2BTXEzUvqX%2FTXDGgeIKFac4IFl%2FGXPEmxi43CSXwZsWuD5CLfaHxEu65DvnuniHqPovnhBOp%2B2rEM2jSLgHuouV%2B9LiZwjgsSXeUVh1BFN5XrPPojB0Lk",
        "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm",
        "custom-error.html",
        "autofs.conf",
        "aliases",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "launchdaemons.txt",
        "MCPeerID.h",
        "convenience.map",
        "dbd_xsh.h",
        "CodeOverlap | All malware listed exists",
        "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327",
        "find.codes",
        "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators",
        "http://45.159.189.105/bot/regex      (tracks Tsara Brashears)",
        "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042",
        "launchD.csv",
        "APConfigurationSystem.tbd",
        "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d",
        "MCSession.h",
        "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
        "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b",
        "pf.os",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
        "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/",
        "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark",
        "managedPolicies.csv",
        "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076",
        "content-negotiation.html",
        "LocalAuthentication.tbd",
        "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA",
        "notify.conf",
        "rtadvd.conf"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "DragonForce Malaysia Hacker Group",
            "Unknown APT Group(s) / Threat Actor (s)",
            "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
            "Brian Sabey| The Brothers Sabey"
          ],
          "malware_families": [
            "#lowfi:exploit:java/cve-2012-0507",
            "Mirai (windows)",
            "Code overlap",
            "Webtoolbar",
            "Win.packer.pkr_ce1a-9980177-0",
            "Careto",
            "#lowfitrojan:html/iframe",
            "#lowfi:hstr:win32/mediadownloader",
            "Beach research",
            "Alf:backdoor:java/webshell",
            "Generic",
            "Starfighter (javascript)",
            "Paragon (pegasus variant)",
            "Html smuggling",
            "Trojan:js/berbew",
            "Pegasus for android - s0316",
            "Trojanspy",
            "Win.malware.snojan-6775202-0",
            "Graphite (pegasus variant)",
            "Pegasus for ios - s0289",
            "Ms defender\ttrojan:win32/qbot.kvd!mtb",
            "Malware",
            "Gamehack",
            "Win.malware.tfuvtcog-7194372-0",
            "Trojan.win32.banload",
            "Too much to search for",
            "#hacktool:powershell/powersploit",
            "Et",
            "Alf:jasyp:trojan:win32/genmaldown!atmn",
            "Win.malware.jaik-9940406-0",
            "#lowfi:aggregator:hasknownadwaredomain_nsisbundler.",
            "Zeroaccess - s0027",
            "Xloader for ios - s0490",
            "Alf:backdoor:powershell/reverseshell",
            "Formbook",
            "Skynet",
            "Trojan.win32.fakemalard",
            "Pegasus for mac",
            "Backdoor:linux/mirai",
            "Trojandownloader:linux/mirai",
            "Pegasus rdp module for windows",
            "States",
            "#lowfi:siga:trojandownloader:msil/genmaldow",
            "Trojan:win32/zombie.a",
            "Maltiverse",
            "Tofsee",
            "Alf:html/phishing",
            "Worm:win32/mofksys.rnd!mtb",
            "Firstname",
            "Win.malware.shellstartup-9892532-0",
            "Ransom:win32/lockscreen.bn",
            "#hstr:hacktool:win32/remoteshell",
            "Pegasus for android - mob-s0032",
            "Lastname"
          ],
          "industries": [
            "Media",
            "Education",
            "Civil",
            "People",
            "Medical",
            "Government",
            "Technology",
            "Government.",
            "Advocacy",
            "Civilian society",
            "Telecommunications",
            "Civilians",
            "Healthcare"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 50,
  "pulses": [
    {
      "id": "6a10e8d0c46d08b820206d6c",
      "name": "Emotet - dating back to before 2019. CAPE Sandbox",
      "description": "[ Cuckoo is a computer program that runs on an operating system (KVM) and can be run on a desktop or a mobile device (also known as a virtual assistant)]",
      "modified": "2026-05-23T05:14:22.248000",
      "created": "2026-05-22T23:37:52.466000",
      "tags": [
        "default",
        "jjjj",
        "settingswpad",
        "dos mode",
        "payload",
        "file type",
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "emotet",
        "shutdown",
        "back"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/008a6413800ef811244f0807e0943df22ba724ed674c03bfc5b57d820c27a632_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779493221&Signature=K7tHlM4p%2FfG1TSV%2FfZASKdmBWp3Se3XBQN%2Fa14YDnlL0ZljOfWTPQ9t%2Bd2aP5K7YN8vKmT4RJJhl7HH4LqZQMp8GIbPe5r%2BM2C1L86LMrE41%2BkG%2Ff1kcZsSCFPfosyqdsDy8WxtnzsLYBOZXWqnqwDaIMQTY03ypckO20Z4rHEcTZV6YKBDggWJQaRNhggjm6jAVXSTzJY9dX0l5Ihm4Qn%2F1hmi80T4VkqsWvPH%2B5dGv"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 69,
        "FileHash-SHA1": 36,
        "FileHash-SHA256": 1530,
        "IPv4": 8385,
        "domain": 631,
        "URL": 160,
        "hostname": 6900,
        "CIDR": 7
      },
      "indicator_count": 17718,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "10 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d5f37d3917861c6b99884b",
      "name": "CAPE Sandbox RIP.exe BLOODBANK.exe",
      "description": "A Cuckoo executable, for MS Windows, runs at 12:12:57 on the morning of 11 November, 2024, and ends in an unauthorised binary that ends up in a box full of data.- rip.exe tied to a gov domain is a treat.",
      "modified": "2026-05-16T07:01:32.826000",
      "created": "2026-04-08T06:19:41.886000",
      "tags": [
        "shell folders",
        "cname",
        "ip address",
        "nothing",
        "registry keys",
        "cape sandbox",
        "file type",
        "file size",
        "sha256",
        "mwdb",
        "accept",
        "shutdown",
        "windows sandbox",
        "calls process",
        "nethandle",
        "net1510000",
        "fastly",
        "skyca3",
        "po box",
        "city",
        "san francisco",
        "stateprov",
        "postalcode",
        "orgtechhandle",
        "orgnochandle",
        "orgid",
        "orgabuseref",
        "orgname",
        "cidr",
        "text process",
        "user",
        "default",
        "xport",
        "use my",
        "gmt ifnonematch",
        "microsoft excel",
        "pe file",
        "https",
        "contains",
        "spawns",
        "reads",
        "aslr",
        "seterrormode",
        "window",
        "malicious",
        "next",
        "csv text",
        "ascii text",
        "process",
        "queries memory",
        "network info",
        "dropped info",
        "persistence",
        "javascript",
        "please",
        "strong",
        "toggle",
        "mitre att",
        "advapi32",
        "windows",
        "dynamicloader",
        "sspicli",
        "name",
        "pid parent",
        "first",
        "threads",
        "path",
        "pegasus",
        "crypt32",
        "virustotal",
        "enterprise",
        "service",
        "close",
        "performs dns",
        "urls",
        "found",
        "united",
        "jpeg image",
        "jfif",
        "json",
        "tls version",
        "mitre attack",
        "creates",
        "phishing",
        "clear filters",
        "thumbprint",
        "temp",
        "full path",
        "windir",
        "behavior",
        "selfdeleting",
        "bat file",
        "address",
        "port",
        "report",
        "system process",
        "downloads",
        "binary",
        "hxojc8o",
        "signatures",
        "success",
        "regopenkeyexw",
        "regopenkeyexa",
        "hkeycurrentuser",
        "hkeyclassesroot",
        "createfilew",
        "regcreatekeyexw",
        "regsetvalueexw",
        "genericread",
        "readfile",
        "desktop",
        "webview",
        "fail"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626394&Signature=mjMxHo8L7UrEZ%2B0mpGMaevi%2Fnyxg566NrZjoVPOa6T3Cbyv9SjUxWf%2BLTZqUG6wgBgPDMrC9WYvpluFNlA3a8CmS9FgO5Wk4ihVivuBtOPhisX8aQoky6AhLHqi%2FTU6pVryey1kfBt6MlRl0gEZ6OJtKADUb2hPUfxXN0b6zIDrBlBpDlzmi73JWdo%2BTl7HWhJzFk%2FDQy3DniCvgLRSPVSK0WPg%2BpvgzruUYB%2F5pkH20cP",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626418&Signature=TwvqChaO8lqc0vzwz%2BZ7W7IIwZZZt6%2FhJ4DzgyGjlwl%2Bev3Aj3iyAMtUxNhwGhTz10UGTbYuZcmLUPKLpQ81mgT%2B8axs57DfzVt1BoJTH5lWYK%2BOI8LDJGXD8tZ8DGKuNa6dHqqdQ9gDvuEpnhGfMmpJovXa%2B0drHScs%2BE%2FQKF%2BRTqOXjfSVxMdoqYnlB3zMc6AU2CYPv%2FE1mP06q5yCaRjgA0aIcnf7ADr9",
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626474&Signature=kfjlpWuwZbaZbbP6fMcuay73HaFSKrqF520LJELy0GSL34yjKdsQSvLU8g4sBtj69rWQb6rJwENSsxoLQizFVcBSn04iqFQqS6VlgbQsMMJd57JpVb9gcQPuRc5iP37IN5crnnQjwWgIDQAxcMFVgX8L2SW2Eji5xGKVeIoJ6MJFYKxoyfiZD3779nqt8YvoaK1E4DWe5%2F9TzZWks0%2BaP5dwYHpoPnvYsj4k0X61JFQChNE5cZcNNbUH8i",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626915&Signature=A8EIjrcllVER4J%2FPzV2FRPV1NC%2FPha6J1APjMga6WlTRSe%2By092MDDTg4tF9ILYLxQtuQgmgwx93nasQfll6ffrd12FvlAsin2zj4vtdTT4AcIXmxJcKO0d%2FoLnozrBzi1R36TlEknCbXkqQPX%2BdvF%2BwroU1F61f6IOtIfgIK2uxK0KIG5I41N7fQcNOUNIwHoCvfAlSb2OqY1V4ESvWxMJ4MjdBn%2F%2B%2FUAOfpOh%2B7c",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d4dd113c9924d71398d9db20e2fcf347cad29c3d3bdc9612a44dfd47c1971aa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627160&Signature=K5%2FGwGNRKy0XCvva8zcyKHnsarNPNRQXXQI%2FV%2B1Susn9nmU9j%2Fm1SKT0f3LpBrVV5dyaLLy%2FYMPBmGKun3XY4WEmEl0KQkg17reIGCcLSeFbgDwpUm2DyN3ENt5d%2BkePCG6FvM5jUx7Cpf1ZTyw0PYePphEx1shaRArarvvSWz1kosuQhe%2BZ8tBYqt1c35e7%2BjQrwmLeZ489ungWsKJvhuXHetKJVJVEhY%2FLb3%2FBgTDodLwx3l",
        "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627259&Signature=LB8UpSFAWpkptxq2TpSlVUjgaYsD8ZVxTie7HZDfh0FJ9h5o0dlAfn3fQ2KoL66TnUg2S0MIsEXMxl5O%2BL%2FFPweNRNyFyFK8M4aHPEHTZZlcAopz6ofdP7b0rYACYLl%2BH51rdDSCCDGVFB2AxZXaz54b748ZJBd0lCSxvueW2MVVLJcFl5w4hcNIIwnXuHCQD02rsYzffmjBIO6CC1hPulQwohf%2FTZKDK5iuOAhPoVWWswdroV2A7M6M6PUg9g",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627300&Signature=ZqM8a%2BUX0F1D8t51nlp1%2BcYFN0ozRLI92p85KFn1f3Aey19YDGw%2BAAEbxD1JMvi%2BsMRGGfYTPACg4h9DM0VFKT8yq4FOOqED%2FO17EAyZrz6YSyQcMMnozviy%2B%2FdpS0Sqd8sas9FdpgcUAS%2FzEEcqa%2FsQVtkpv2rp9BZLKqvbpquNXBlA9rnKzvbtNwEP7meNDc%2FXDspVqf%2Frb9bWY8uHq7hJl6pMWknVtV",
        "https://vtbehaviour.commondatastorage.googleapis.com/faa6f8935bf337bb6f98bfe73e3b74f6e785da6929775e6bacbbd20d90ecf2c3_SNDBOX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627494&Signature=lBb52t94Lck4SSu4FORagQFNGojj5%2Bi7JRPlb68HqacyPusyn33LTlV%2F72P5M52r2EZ8ylUROPiRnCRBg0ry%2B2D1ctl1uWtP%2F1HDdBpnbxxUtkcM97MGzmUbIfTSOAsXsbB3f4Y6ZOIM%2BLYzCo%2BxwRmun4K%2Bo8K3mYHMatcF3mBtKcBPnP7WM5%2FHTz3XqJGMH9TCDIfe7j%2F3SAnx7X0tt0BgUcwPe4OkmHkUutihMBfek2MBp%2B",
        "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627608&Signature=nc6gUdC0NeDtHUOIT6P0pC0i9EKDBHTO%2BMbcwHvgjPzFPqDFGMq%2Fei9aUhg8ub9H4poa985bQO4xz1xEEOmGhEihgwKvDZ5u0QETkzbQJLxzzm5g9t%2Fx4iBeBHToQjDXdMrSu0ML%2FYBep0l%2F%2BkYortodmtnjHYhAEYOOLSZn4gSAWaPoq5vxXF9gtsRojKf9RIk5VuzDXFGY6BGsDKn2tch7nTJ3SmYKodEv4iWyVn4jp5g%2B4",
        "https://vtbehaviour.commondatastorage.googleapis.com/0c5a10f10eb29b8251a5dfe15fa74f7e25c281b4f9be7c87839a9ae3d34dfe6d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627783&Signature=FHIZFXnHZsAaWvZbG2O1vXTFfRz6BqTP8ikzyyXMpZ4VG6WEVnK3yHhhrnLfoLQqUCUgXvWOb1ThHRM6WXJGEx4jLnKM%2Fp6YkHmVEj1nFXBd%2BQ0IPGVwZRJfZcttoBFwmLwJ%2BTXEzUvqX%2FTXDGgeIKFac4IFl%2FGXPEmxi43CSXwZsWuD5CLfaHxEu65DvnuniHqPovnhBOp%2B2rEM2jSLgHuouV%2B9LiZwjgsSXeUVh1BFN5XrPPojB0Lk",
        "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628069&Signature=Tqx0WDIqoieH9yCo18tkPUdcYvTU0l0vEGnEzncxScNgePm2%2Bm5dMzcVkPb2dN4j43pL0c6xFpyqUmgcAaV4yJd1bWnukU%2FSoTPxrfzwEEPlXeMoapx9eeELYqF6WZWyor0m%2F4qv%2FuaYFkLWO2D8iOkqIiaNQBvu6nVuNBM3I%2FkrnXhWRxt3C8KQlAF%2Fo3ft05L0QBoJH6mQquOx2C777xrO6tjr31CGKjIMIAih66ud8Oskb57I%2B6zt",
        "https://vtbehaviour.commondatastorage.googleapis.com/aa2691bc8ec9abf5359396a356551d1e2de12c9c5035c259650650ced6607c6f_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628175&Signature=C%2Bm0zPP%2FHfqcIuof%2F2O%2F0UbWPaY37tDrVB%2FZMr2M9H%2BjPTiynLMHNyn5vNT97ndboi7U21mT93t30I4UMIqdICdXtc%2BlGG7rYgE2ruFbI6U%2BBxHCmlKEUYh1FZY%2BPsskjCqojS2K4I1w%2BfsLyUwkpsGHzh92WF%2B5h5FbNY5PySi2Fd3B4ns1okQyrU6i%2F0PdPGs%2BjnHvLfdB%2Bx%2FOjTJPOcKqkwk",
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628363&Signature=dlMT8ox9JTkziQZLJ6FL%2BRBc%2Fz%2BeAIvgi4qr%2FO3pMT9vAKLgbGFgQum2bJ74s07XpftMHPBj1fCgNY5xK7EIouHXhmpyiD%2B5zsfcKaNckOkNoIo6A9%2FfM6g42hN5djOg3pDclOqwj0ECuBWrtZXqZcrc5nv%2BU51qwqs6AAkIaiZWOX341r7RHPc49dpGRK0DG1XQDRGxacXm5erHEQmAAO8I8yR%2FzKT%2BZ6EJK6xC99uC",
        "https://vtbehaviour.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628967&Signature=cw9IN04sKdFEDdQTLeqNWDt35Spbg0yI2vZFSrsk%2FJ6%2BD%2BRC5pt7QZKTQlutBh8zpYG9b4%2F7TjCFxf5jo1s6uYpiVA8s%2F5c5ZVy2Ia387UGrip6kYJ9s2cfp%2BgQ1o2RHEQRhukeRqR6uQpb87IVhWb1VjeABoOqT%2Buy%2BeXUckwOcInk8tcs9wCI1xhRe3raMJ1EC1gIdXCGzMqLU%2F874cclP6LWAUiQ08FPQe8VZtob",
        "https://vtbehaviour.commondatastorage.googleapis.com/012f268838dbc4f0877ea47f272bcd5acdc15ac4584c3d3cddeae2f5107d09de_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629156&Signature=qIGYvmHwkDg5a1aWpPn%2FCFierOaHWS9Gyvi4Owjd4sJ7YytEl%2F5qxIIpo84v%2F7J%2BvxGYG9PrPDBHbH5jiJc2VOMkKroiRdzapAh%2FFwXVnVhn%2FCJ1eu6xMH2KJ6bs578zBbSbt6QJ2KPBU2E7RJQ5o%2FxLV93YjttPgspSTvjqiC1vCSwx78AdV7nt4xmxTCpqZB3OJuH%2ByROH7tWED9Qzq%2BVgwf7AmK9UrFuIKnmo07prAMKfo1k1",
        "https://vtcuckoo.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629192&Signature=gnfHVeS3e3cryOoChL6czgBUI9mEJwFk8OZ22bAN4U7V1r1yCjBq7i3y7Sarv1O34zp2Yabguk5BQI4cgnZ64Dj1uLdrx9dUaYo%2FzBoITjzCiJ7djJCvB0alIiIw%2Bok%2BqRGGtIFbrfS61QNeDiXmFpeD1d%2F1lGe8ZoBd0nLLqtP5xdbRALcJbrvbCeln9nFuu199svtMraGxafiWFWiEC4GRx1BmdMZYVqC%2B%2FukhirOXs7MyPd6i1%2FsSjSWfGa8ss4pgIMD"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1185",
          "name": "Man in the Browser",
          "display_name": "T1185 - Man in the Browser"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 3,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 94,
        "FileHash-SHA1": 70,
        "FileHash-SHA256": 294,
        "domain": 50,
        "hostname": 410,
        "URL": 281,
        "CIDR": 1,
        "email": 3,
        "IPv4": 2
      },
      "indicator_count": 1205,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "17 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d5f37c65fbf136884dae98",
      "name": "CAPE Sandbox RIP.exe BLOODBANK.exe",
      "description": "A Cuckoo executable, for MS Windows, runs at 12:12:57 on the morning of 11 November, 2024, and ends in an unauthorised binary that ends up in a box full of data.- rip.exe tied to a gov domain is a treat.",
      "modified": "2026-05-08T06:44:52.553000",
      "created": "2026-04-08T06:19:40.539000",
      "tags": [
        "shell folders",
        "cname",
        "ip address",
        "nothing",
        "registry keys",
        "cape sandbox",
        "file type",
        "file size",
        "sha256",
        "mwdb",
        "accept",
        "shutdown",
        "windows sandbox",
        "calls process",
        "nethandle",
        "net1510000",
        "fastly",
        "skyca3",
        "po box",
        "city",
        "san francisco",
        "stateprov",
        "postalcode",
        "orgtechhandle",
        "orgnochandle",
        "orgid",
        "orgabuseref",
        "orgname",
        "cidr",
        "text process",
        "user",
        "default",
        "xport",
        "use my",
        "gmt ifnonematch",
        "microsoft excel",
        "pe file",
        "https",
        "contains",
        "spawns",
        "reads",
        "aslr",
        "seterrormode",
        "window",
        "malicious",
        "next",
        "csv text",
        "ascii text",
        "process",
        "queries memory",
        "network info",
        "dropped info",
        "persistence",
        "javascript",
        "please",
        "strong",
        "toggle",
        "mitre att",
        "advapi32",
        "windows",
        "dynamicloader",
        "sspicli",
        "name",
        "pid parent",
        "first",
        "threads",
        "path",
        "pegasus",
        "crypt32",
        "virustotal",
        "enterprise",
        "service",
        "close",
        "performs dns",
        "urls",
        "found",
        "united",
        "jpeg image",
        "jfif",
        "json",
        "tls version",
        "mitre attack",
        "creates",
        "phishing",
        "clear filters",
        "thumbprint",
        "temp",
        "full path",
        "windir",
        "behavior",
        "selfdeleting",
        "bat file",
        "address",
        "port",
        "report",
        "system process",
        "downloads",
        "binary",
        "hxojc8o",
        "signatures",
        "success",
        "regopenkeyexw",
        "regopenkeyexa",
        "hkeycurrentuser",
        "hkeyclassesroot",
        "createfilew",
        "regcreatekeyexw",
        "regsetvalueexw",
        "genericread",
        "readfile",
        "desktop",
        "webview",
        "fail"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626394&Signature=mjMxHo8L7UrEZ%2B0mpGMaevi%2Fnyxg566NrZjoVPOa6T3Cbyv9SjUxWf%2BLTZqUG6wgBgPDMrC9WYvpluFNlA3a8CmS9FgO5Wk4ihVivuBtOPhisX8aQoky6AhLHqi%2FTU6pVryey1kfBt6MlRl0gEZ6OJtKADUb2hPUfxXN0b6zIDrBlBpDlzmi73JWdo%2BTl7HWhJzFk%2FDQy3DniCvgLRSPVSK0WPg%2BpvgzruUYB%2F5pkH20cP",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626418&Signature=TwvqChaO8lqc0vzwz%2BZ7W7IIwZZZt6%2FhJ4DzgyGjlwl%2Bev3Aj3iyAMtUxNhwGhTz10UGTbYuZcmLUPKLpQ81mgT%2B8axs57DfzVt1BoJTH5lWYK%2BOI8LDJGXD8tZ8DGKuNa6dHqqdQ9gDvuEpnhGfMmpJovXa%2B0drHScs%2BE%2FQKF%2BRTqOXjfSVxMdoqYnlB3zMc6AU2CYPv%2FE1mP06q5yCaRjgA0aIcnf7ADr9",
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626474&Signature=kfjlpWuwZbaZbbP6fMcuay73HaFSKrqF520LJELy0GSL34yjKdsQSvLU8g4sBtj69rWQb6rJwENSsxoLQizFVcBSn04iqFQqS6VlgbQsMMJd57JpVb9gcQPuRc5iP37IN5crnnQjwWgIDQAxcMFVgX8L2SW2Eji5xGKVeIoJ6MJFYKxoyfiZD3779nqt8YvoaK1E4DWe5%2F9TzZWks0%2BaP5dwYHpoPnvYsj4k0X61JFQChNE5cZcNNbUH8i",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775626915&Signature=A8EIjrcllVER4J%2FPzV2FRPV1NC%2FPha6J1APjMga6WlTRSe%2By092MDDTg4tF9ILYLxQtuQgmgwx93nasQfll6ffrd12FvlAsin2zj4vtdTT4AcIXmxJcKO0d%2FoLnozrBzi1R36TlEknCbXkqQPX%2BdvF%2BwroU1F61f6IOtIfgIK2uxK0KIG5I41N7fQcNOUNIwHoCvfAlSb2OqY1V4ESvWxMJ4MjdBn%2F%2B%2FUAOfpOh%2B7c",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d4dd113c9924d71398d9db20e2fcf347cad29c3d3bdc9612a44dfd47c1971aa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627160&Signature=K5%2FGwGNRKy0XCvva8zcyKHnsarNPNRQXXQI%2FV%2B1Susn9nmU9j%2Fm1SKT0f3LpBrVV5dyaLLy%2FYMPBmGKun3XY4WEmEl0KQkg17reIGCcLSeFbgDwpUm2DyN3ENt5d%2BkePCG6FvM5jUx7Cpf1ZTyw0PYePphEx1shaRArarvvSWz1kosuQhe%2BZ8tBYqt1c35e7%2BjQrwmLeZ489ungWsKJvhuXHetKJVJVEhY%2FLb3%2FBgTDodLwx3l",
        "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627259&Signature=LB8UpSFAWpkptxq2TpSlVUjgaYsD8ZVxTie7HZDfh0FJ9h5o0dlAfn3fQ2KoL66TnUg2S0MIsEXMxl5O%2BL%2FFPweNRNyFyFK8M4aHPEHTZZlcAopz6ofdP7b0rYACYLl%2BH51rdDSCCDGVFB2AxZXaz54b748ZJBd0lCSxvueW2MVVLJcFl5w4hcNIIwnXuHCQD02rsYzffmjBIO6CC1hPulQwohf%2FTZKDK5iuOAhPoVWWswdroV2A7M6M6PUg9g",
        "https://vtbehaviour.commondatastorage.googleapis.com/1d5f970b7378625145832550f06d4eb5543258aee214e4d72172e4018c2d88a3_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627300&Signature=ZqM8a%2BUX0F1D8t51nlp1%2BcYFN0ozRLI92p85KFn1f3Aey19YDGw%2BAAEbxD1JMvi%2BsMRGGfYTPACg4h9DM0VFKT8yq4FOOqED%2FO17EAyZrz6YSyQcMMnozviy%2B%2FdpS0Sqd8sas9FdpgcUAS%2FzEEcqa%2FsQVtkpv2rp9BZLKqvbpquNXBlA9rnKzvbtNwEP7meNDc%2FXDspVqf%2Frb9bWY8uHq7hJl6pMWknVtV",
        "https://vtbehaviour.commondatastorage.googleapis.com/faa6f8935bf337bb6f98bfe73e3b74f6e785da6929775e6bacbbd20d90ecf2c3_SNDBOX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627494&Signature=lBb52t94Lck4SSu4FORagQFNGojj5%2Bi7JRPlb68HqacyPusyn33LTlV%2F72P5M52r2EZ8ylUROPiRnCRBg0ry%2B2D1ctl1uWtP%2F1HDdBpnbxxUtkcM97MGzmUbIfTSOAsXsbB3f4Y6ZOIM%2BLYzCo%2BxwRmun4K%2Bo8K3mYHMatcF3mBtKcBPnP7WM5%2FHTz3XqJGMH9TCDIfe7j%2F3SAnx7X0tt0BgUcwPe4OkmHkUutihMBfek2MBp%2B",
        "https://vtbehaviour.commondatastorage.googleapis.com/0526bc88565de11e5c67b8e01590ba1184e3c6130fc1ced3d1ecacb00c51a7fa_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627608&Signature=nc6gUdC0NeDtHUOIT6P0pC0i9EKDBHTO%2BMbcwHvgjPzFPqDFGMq%2Fei9aUhg8ub9H4poa985bQO4xz1xEEOmGhEihgwKvDZ5u0QETkzbQJLxzzm5g9t%2Fx4iBeBHToQjDXdMrSu0ML%2FYBep0l%2F%2BkYortodmtnjHYhAEYOOLSZn4gSAWaPoq5vxXF9gtsRojKf9RIk5VuzDXFGY6BGsDKn2tch7nTJ3SmYKodEv4iWyVn4jp5g%2B4",
        "https://vtbehaviour.commondatastorage.googleapis.com/0c5a10f10eb29b8251a5dfe15fa74f7e25c281b4f9be7c87839a9ae3d34dfe6d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775627783&Signature=FHIZFXnHZsAaWvZbG2O1vXTFfRz6BqTP8ikzyyXMpZ4VG6WEVnK3yHhhrnLfoLQqUCUgXvWOb1ThHRM6WXJGEx4jLnKM%2Fp6YkHmVEj1nFXBd%2BQ0IPGVwZRJfZcttoBFwmLwJ%2BTXEzUvqX%2FTXDGgeIKFac4IFl%2FGXPEmxi43CSXwZsWuD5CLfaHxEu65DvnuniHqPovnhBOp%2B2rEM2jSLgHuouV%2B9LiZwjgsSXeUVh1BFN5XrPPojB0Lk",
        "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628069&Signature=Tqx0WDIqoieH9yCo18tkPUdcYvTU0l0vEGnEzncxScNgePm2%2Bm5dMzcVkPb2dN4j43pL0c6xFpyqUmgcAaV4yJd1bWnukU%2FSoTPxrfzwEEPlXeMoapx9eeELYqF6WZWyor0m%2F4qv%2FuaYFkLWO2D8iOkqIiaNQBvu6nVuNBM3I%2FkrnXhWRxt3C8KQlAF%2Fo3ft05L0QBoJH6mQquOx2C777xrO6tjr31CGKjIMIAih66ud8Oskb57I%2B6zt",
        "https://vtbehaviour.commondatastorage.googleapis.com/aa2691bc8ec9abf5359396a356551d1e2de12c9c5035c259650650ced6607c6f_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628175&Signature=C%2Bm0zPP%2FHfqcIuof%2F2O%2F0UbWPaY37tDrVB%2FZMr2M9H%2BjPTiynLMHNyn5vNT97ndboi7U21mT93t30I4UMIqdICdXtc%2BlGG7rYgE2ruFbI6U%2BBxHCmlKEUYh1FZY%2BPsskjCqojS2K4I1w%2BfsLyUwkpsGHzh92WF%2B5h5FbNY5PySi2Fd3B4ns1okQyrU6i%2F0PdPGs%2BjnHvLfdB%2Bx%2FOjTJPOcKqkwk",
        "https://vtbehaviour.commondatastorage.googleapis.com/6c375dc240faf5cde2a8eafd44351309edfa18c7e11ea52c2437701584ec2579_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628363&Signature=dlMT8ox9JTkziQZLJ6FL%2BRBc%2Fz%2BeAIvgi4qr%2FO3pMT9vAKLgbGFgQum2bJ74s07XpftMHPBj1fCgNY5xK7EIouHXhmpyiD%2B5zsfcKaNckOkNoIo6A9%2FfM6g42hN5djOg3pDclOqwj0ECuBWrtZXqZcrc5nv%2BU51qwqs6AAkIaiZWOX341r7RHPc49dpGRK0DG1XQDRGxacXm5erHEQmAAO8I8yR%2FzKT%2BZ6EJK6xC99uC",
        "https://vtbehaviour.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775628967&Signature=cw9IN04sKdFEDdQTLeqNWDt35Spbg0yI2vZFSrsk%2FJ6%2BD%2BRC5pt7QZKTQlutBh8zpYG9b4%2F7TjCFxf5jo1s6uYpiVA8s%2F5c5ZVy2Ia387UGrip6kYJ9s2cfp%2BgQ1o2RHEQRhukeRqR6uQpb87IVhWb1VjeABoOqT%2Buy%2BeXUckwOcInk8tcs9wCI1xhRe3raMJ1EC1gIdXCGzMqLU%2F874cclP6LWAUiQ08FPQe8VZtob",
        "https://vtbehaviour.commondatastorage.googleapis.com/012f268838dbc4f0877ea47f272bcd5acdc15ac4584c3d3cddeae2f5107d09de_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629156&Signature=qIGYvmHwkDg5a1aWpPn%2FCFierOaHWS9Gyvi4Owjd4sJ7YytEl%2F5qxIIpo84v%2F7J%2BvxGYG9PrPDBHbH5jiJc2VOMkKroiRdzapAh%2FFwXVnVhn%2FCJ1eu6xMH2KJ6bs578zBbSbt6QJ2KPBU2E7RJQ5o%2FxLV93YjttPgspSTvjqiC1vCSwx78AdV7nt4xmxTCpqZB3OJuH%2ByROH7tWED9Qzq%2BVgwf7AmK9UrFuIKnmo07prAMKfo1k1",
        "https://vtcuckoo.commondatastorage.googleapis.com/000001ea2ae617d6de171f648d2683ff43b52cc01bc077f131cfd1be7549704a?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775629192&Signature=gnfHVeS3e3cryOoChL6czgBUI9mEJwFk8OZ22bAN4U7V1r1yCjBq7i3y7Sarv1O34zp2Yabguk5BQI4cgnZ64Dj1uLdrx9dUaYo%2FzBoITjzCiJ7djJCvB0alIiIw%2Bok%2BqRGGtIFbrfS61QNeDiXmFpeD1d%2F1lGe8ZoBd0nLLqtP5xdbRALcJbrvbCeln9nFuu199svtMraGxafiWFWiEC4GRx1BmdMZYVqC%2B%2FukhirOXs7MyPd6i1%2FsSjSWfGa8ss4pgIMD"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1185",
          "name": "Man in the Browser",
          "display_name": "T1185 - Man in the Browser"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 164,
        "FileHash-SHA1": 161,
        "FileHash-SHA256": 463,
        "domain": 56,
        "hostname": 396,
        "URL": 456,
        "CIDR": 1,
        "email": 7
      },
      "indicator_count": 1704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "25 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69ca5d583057aaefed16789a",
      "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
      "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
      "modified": "2026-04-29T11:26:13.615000",
      "created": "2026-03-30T11:24:08.053000",
      "tags": [
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "file type",
        "default",
        "sha256",
        "sha1",
        "data",
        "info",
        "accept",
        "win64",
        "damage",
        "openssl",
        "shutdown",
        "direct",
        "explorer",
        "title",
        "payload",
        "rdap",
        "ip version",
        "address range",
        "cidr",
        "network name",
        "allocation type",
        "whois server",
        "entity sg679",
        "handle",
        "stealc config",
        "cncs http"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 351,
        "URL": 392,
        "FileHash-MD5": 149,
        "FileHash-SHA1": 168,
        "FileHash-SHA256": 197,
        "email": 12,
        "hostname": 68,
        "CIDR": 4
      },
      "indicator_count": 1341,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 70,
      "modified_text": "34 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "695089cbedad5c86f39b1363",
      "name": "Tracking Domains 03.03.26 (Updated Test)",
      "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.",
      "modified": "2026-04-05T06:35:43.679000",
      "created": "2025-12-28T01:37:15.993000",
      "tags": [
        "privacy badger",
        "sites general",
        "settings widget",
        "domains manage",
        "data privacy",
        "badger",
        "hide"
      ],
      "references": [
        "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
        "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
        "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
        "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America",
        "Netherlands"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Healthcare",
        "Government",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 50404,
        "hostname": 10879,
        "URL": 715,
        "FileHash-MD5": 1
      },
      "indicator_count": 61999,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 132,
      "modified_text": "58 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b92a27c47d4e28927364",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:26.110000",
      "created": "2026-03-12T13:01:30.067000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 75,
      "modified_text": "82 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b9295603a6100edfa8c8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:25.387000",
      "created": "2026-03-12T13:01:29.284000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 71,
      "modified_text": "82 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927aa7f10e82639d204",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.872000",
      "created": "2026-03-12T13:01:27.872000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "82 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927c086397130c5d114",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.275000",
      "created": "2026-03-12T13:01:27.275000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "82 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b926871746ed8a1bc324",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:26.440000",
      "created": "2026-03-12T13:01:26.440000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "82 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "onetag-sys.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "onetag-sys.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780454473.7032983
}