{ "type": "Domain", "indicator": "pair.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pair.net", "alexa": "http://www.alexa.com/siteinfo/pair.net", "indicator": "pair.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3403604195, "indicator": "pair.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d23925f64351b49da548a8", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "\u2022A domain generation algorithm (DGA) is a subroutine adversaries implement to dynamically identify a destination domain for CnC traffic as opposed to usage of a list of static IP addresses or domains. Generates large numbers of new domain names. Cybercriminals and botnet operators use (DGA) evading detection, generated volumes of domains & IP addresses for malware CnC servers. \n\u2022Sality is an appending polymorphic file infector virus that uses an Entry Point Obscuring (EPO) technique. Unlike other file infectors that modify the entry point of the host file to point to the virus code, Sality.", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-18T17:06:45.853000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3ad3fefbf45e46c34190f", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-19T19:34:23.355000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": "65d23925f64351b49da548a8", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "826 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636732ba4235b1d6a1685e79", "name": "pair.net the eco system itself", "description": "using corp email js inject to change customer support emails by adding ATT0000 Text field converts to either no-reply email or allows hijack and email contents to changed . im to tired to explain this now but its hiding in plain sight think js, accessibility, p2p, neural, mesh linking massive amounts of emails often ones consumers and enterprise dont delete", "modified": "2022-12-06T04:01:15.379000", "created": "2022-11-06T04:06:18.072000", "tags": [ "pair.net", "corp support email systems", "supply chain hell" ], "references": [ "https://www.virustotal.com/gui/collection/7c54ca5358986fc52adb738254468f3d44a73fe2288377807c7092972deeb5e4", "bt.pair.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1033, "hostname": 285, "URL": 221, "domain": 6 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62370c709a59854e44b4089b", "name": "http://cpan.pair.com/ Nasty Supply Chain update poss", "description": "", "modified": "2022-04-19T00:01:05.210000", "created": "2022-03-20T11:13:52.179000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "pcap", "pcap processing", "date", "sha256", "size", "path", "accept", "suspicious", "malicious", "body", "hybrid", "close", "click", "hosts", "august", "persistence", "execution", "local", "mozilla", "mozi", "trident", "strings" ], "references": [ "https://hybrid-analysis.com/sample/9527a96abead4538f1f3177b4accfc1cd63416085d80e84440da89c920f00ee7/61154a5d4b6af21b3c0ff803" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 449, "hostname": 147, "FileHash-SHA256": 172, "domain": 63, "FileHash-MD5": 42, "FileHash-SHA1": 48, "email": 3 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Tracking: 8.8.4.4 [ NOT a false.positive]", "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "https://attack.mitre.org/techniques/T1568/002/", "https://hybrid-analysis.com/sample/9527a96abead4538f1f3177b4accfc1cd63416085d80e84440da89c920f00ee7/61154a5d4b6af21b3c0ff803", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "training001.blackbagtech.com [opportunity?]", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "deviceinbox.com [malware hosting]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://www.virustotal.com/gui/collection/7c54ca5358986fc52adb738254468f3d44a73fe2288377807c7092972deeb5e4", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "http://www.junefabrics.com/android/activate.php", "bt.pair.net", "bell.ca", "enterprise.cellebrite.com [ digitalclues.com]", "https://tulach.cc/ [malware engineering | phishing]", "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://www.nsogroup.com", "Name Servers PDNS1.ULTRADNS.NET Org", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net", "Backdoor.PcClient", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "message.htm.com [ message stealer]", "https://timersys.com/ [ phishing | deb opera.com]", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Backdoor.Win32.Pushdo.s Checkin", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Win.trojan.pushdo-20", "World media", "Worm:win32/autorun", "Eternalblue", "Backdoor:win32/mydoom", "Trojandownloader:win32/cutwail.bs", "Win32.floxif.a checkin", "Cve-2022-26134", "Amadey", "Trojandownloader:win32/cutwail.bv", "Slf:msil/pstanomaly.a", "Quasar rat", "Virus:win32/floxif.h", "Pegasus", "Sality", "Tulach" ], "industries": [ "Telecommunications", "Government", "Legal", "Judicial", "Civil society", "Healthcare", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d23925f64351b49da548a8", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "\u2022A domain generation algorithm (DGA) is a subroutine adversaries implement to dynamically identify a destination domain for CnC traffic as opposed to usage of a list of static IP addresses or domains. Generates large numbers of new domain names. Cybercriminals and botnet operators use (DGA) evading detection, generated volumes of domains & IP addresses for malware CnC servers. \n\u2022Sality is an appending polymorphic file infector virus that uses an Entry Point Obscuring (EPO) technique. Unlike other file infectors that modify the entry point of the host file to point to the virus code, Sality.", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-18T17:06:45.853000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3ad3fefbf45e46c34190f", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-19T19:34:23.355000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": "65d23925f64351b49da548a8", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "826 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636732ba4235b1d6a1685e79", "name": "pair.net the eco system itself", "description": "using corp email js inject to change customer support emails by adding ATT0000 Text field converts to either no-reply email or allows hijack and email contents to changed . im to tired to explain this now but its hiding in plain sight think js, accessibility, p2p, neural, mesh linking massive amounts of emails often ones consumers and enterprise dont delete", "modified": "2022-12-06T04:01:15.379000", "created": "2022-11-06T04:06:18.072000", "tags": [ "pair.net", "corp support email systems", "supply chain hell" ], "references": [ "https://www.virustotal.com/gui/collection/7c54ca5358986fc52adb738254468f3d44a73fe2288377807c7092972deeb5e4", "bt.pair.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1033, "hostname": 285, "URL": 221, "domain": 6 }, "indicator_count": 1545, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62370c709a59854e44b4089b", "name": "http://cpan.pair.com/ Nasty Supply Chain update poss", "description": "", "modified": "2022-04-19T00:01:05.210000", "created": "2022-03-20T11:13:52.179000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "pcap", "pcap processing", "date", "sha256", "size", "path", "accept", "suspicious", "malicious", "body", "hybrid", "close", "click", "hosts", "august", "persistence", "execution", "local", "mozilla", "mozi", "trident", "strings" ], "references": [ "https://hybrid-analysis.com/sample/9527a96abead4538f1f3177b4accfc1cd63416085d80e84440da89c920f00ee7/61154a5d4b6af21b3c0ff803" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 449, "hostname": 147, "FileHash-SHA256": 172, "domain": 63, "FileHash-MD5": 42, "FileHash-SHA1": 48, "email": 3 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pair.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pair.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780436837.2857347 }