{ "type": "Domain", "indicator": "ovh.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ovh.com", "alexa": "http://www.alexa.com/siteinfo/ovh.com", "indicator": "ovh.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain ovh.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain ovh.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2715284054, "indicator": "ovh.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69309525c9fb51eed9634ec2", "name": "Bulletproof Hosting Infrastructure - Known Malicious ASNs 2025", "description": "Autonomous Systems commonly used for malware C2, hosting, and bulletproof services. Based on DugganUSA threat intelligence operations.\n\nKEY PROVIDERS:\n- Contabo GmbH (ASN 51167) - UK/Germany, Pattern 38 C2\n- Hetzner Online (ASN 24940) - Germany/Finland, payload hosting\n- IOFLOOD (ASN 53755) - US, bulletproof\n- OVH (ASN 16276) - France, common abuse\n- DigitalOcean (ASN 14061) - US, common abuse\n- Linode (ASN 63949) - US, common abuse\n- Vultr (ASN 20473) - US, common abuse\n- TECHOFF (ASN varies) - Bulletproof\n- Chang Way Technologies (ASN 57523) - Hong Kong, bulletproof\n- SELECTEL (ASN 49505) - Russia, state-tolerant\n\nMITRE ATT&CK: T1583.003, T1583.004, T1608.001\n\nDugganUSA Pattern Library - www.dugganusa.com", "modified": "2026-01-02T19:00:39.535000", "created": "2025-12-03T19:53:09.093000", "tags": [ "bulletproof-hosting", "asn", "infrastructure", "c2", "contabo", "hetzner", "ioflood", "ovh", "dugganusa" ], "references": [ "https://www.dugganusa.com", "https://analytics.dugganusa.com/api/v1/stix-feed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "166 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "585 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65333dffc82990767f6982f6", "name": "CVE-2014-0514", "description": "The following is the full text of the report on the Adobe Reader vulnerability (CVE-2014-0514), compiled by the University of California, San Francisco, and published on 1 October 2017.", "modified": "2023-11-20T03:02:27.506000", "created": "2023-10-21T02:57:03.220000", "tags": [ "adobe reader", "android", "javascript", "misc http", "scan endpoints", "all cve", "ellenmmm cve", "cve20140514 add", "new pulse", "existing pulse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "URL": 134, "hostname": 307, "domain": 381, "FileHash-SHA256": 7111, "FileHash-MD5": 1474, "FileHash-SHA1": 1441, "SSLCertFingerprint": 4, "email": 18 }, "indicator_count": 10875, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f15030e45840824f55077", "name": "www.envoyproxy.io", "description": "", "modified": "2023-10-30T02:29:23.078000", "created": "2023-10-30T02:29:23.078000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65190c2a70ef9ab1e96e035a", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "947 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65190c2a70ef9ab1e96e035a", "name": "www.envoyproxy.io", "description": "", "modified": "2023-10-01T06:05:30.167000", "created": "2023-10-01T06:05:30.167000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e51289d6c001f2ab94eb67", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "976 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e51289d6c001f2ab94eb67", "name": "www.envoyproxy.io", "description": "", "modified": "2023-09-24T00:00:49.866000", "created": "2023-08-22T19:54:49.515000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "983 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79746fce8c23d601a8256", "name": "www.envoyproxy.io (by ellenmmm)", "description": "", "modified": "2023-09-23T00:03:13.532000", "created": "2023-08-24T17:45:42.222000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e51289d6c001f2ab94eb67", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 445, "domain": 311, "CVE": 7, "URL": 459, "email": 17, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2001 }, "indicator_count": 4040, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "https://analytics.dugganusa.com/api/v1/stix-feed", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com", "https://www.dugganusa.com", "Andariel group \u00bb State-sponsored threat actor & Defense media", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO" ], "malware_families": [ "Trojandownloader:win32/cutwail", "Trojanspy", "Trojan:win32/smokeloader", "Pws:win32/zbot!ci", "Trojan:win64/coinminer.we" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69309525c9fb51eed9634ec2", "name": "Bulletproof Hosting Infrastructure - Known Malicious ASNs 2025", "description": "Autonomous Systems commonly used for malware C2, hosting, and bulletproof services. Based on DugganUSA threat intelligence operations.\n\nKEY PROVIDERS:\n- Contabo GmbH (ASN 51167) - UK/Germany, Pattern 38 C2\n- Hetzner Online (ASN 24940) - Germany/Finland, payload hosting\n- IOFLOOD (ASN 53755) - US, bulletproof\n- OVH (ASN 16276) - France, common abuse\n- DigitalOcean (ASN 14061) - US, common abuse\n- Linode (ASN 63949) - US, common abuse\n- Vultr (ASN 20473) - US, common abuse\n- TECHOFF (ASN varies) - Bulletproof\n- Chang Way Technologies (ASN 57523) - Hong Kong, bulletproof\n- SELECTEL (ASN 49505) - Russia, state-tolerant\n\nMITRE ATT&CK: T1583.003, T1583.004, T1608.001\n\nDugganUSA Pattern Library - www.dugganusa.com", "modified": "2026-01-02T19:00:39.535000", "created": "2025-12-03T19:53:09.093000", "tags": [ "bulletproof-hosting", "asn", "infrastructure", "c2", "contabo", "hetzner", "ioflood", "ovh", "dugganusa" ], "references": [ "https://www.dugganusa.com", "https://analytics.dugganusa.com/api/v1/stix-feed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "166 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "585 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65333dffc82990767f6982f6", "name": "CVE-2014-0514", "description": "The following is the full text of the report on the Adobe Reader vulnerability (CVE-2014-0514), compiled by the University of California, San Francisco, and published on 1 October 2017.", "modified": "2023-11-20T03:02:27.506000", "created": "2023-10-21T02:57:03.220000", "tags": [ "adobe reader", "android", "javascript", "misc http", "scan endpoints", "all cve", "ellenmmm cve", "cve20140514 add", "new pulse", "existing pulse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "URL": 134, "hostname": 307, "domain": 381, "FileHash-SHA256": 7111, "FileHash-MD5": 1474, "FileHash-SHA1": 1441, "SSLCertFingerprint": 4, "email": 18 }, "indicator_count": 10875, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f15030e45840824f55077", "name": "www.envoyproxy.io", "description": "", "modified": "2023-10-30T02:29:23.078000", "created": "2023-10-30T02:29:23.078000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65190c2a70ef9ab1e96e035a", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "947 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65190c2a70ef9ab1e96e035a", "name": "www.envoyproxy.io", "description": "", "modified": "2023-10-01T06:05:30.167000", "created": "2023-10-01T06:05:30.167000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e51289d6c001f2ab94eb67", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "976 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e51289d6c001f2ab94eb67", "name": "www.envoyproxy.io", "description": "", "modified": "2023-09-24T00:00:49.866000", "created": "2023-08-22T19:54:49.515000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 540, "domain": 372, "CVE": 7, "URL": 586, "email": 25, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2021 }, "indicator_count": 4351, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "983 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79746fce8c23d601a8256", "name": "www.envoyproxy.io (by ellenmmm)", "description": "", "modified": "2023-09-23T00:03:13.532000", "created": "2023-08-24T17:45:42.222000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64e51289d6c001f2ab94eb67", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 445, "domain": 311, "CVE": 7, "URL": 459, "email": 17, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 2001 }, "indicator_count": 4040, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "984 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ovh.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ovh.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780510172.946545 }