{ "type": "Domain", "indicator": "plug-tugs.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/plug-tugs.com", "alexa": "http://www.alexa.com/siteinfo/plug-tugs.com", "indicator": "plug-tugs.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 982270855, "indicator": "plug-tugs.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-31T01:17:54.397000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 130626, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45551, "domain": 66446 }, "indicator_count": 111997, "is_author": false, "is_subscribing": null, "subscriber_count": 971, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552997, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a9a77a47c528558c8ef", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:48:26.770000", "created": "2026-01-21T04:48:26.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a66c4042524a1ef26a8", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:34.615000", "created": "2026-01-21T04:47:34.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a57b1aa54d1ca1e9777", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:19.388000", "created": "2026-01-21T04:47:19.388000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a330e5bb8fbd2e958ff", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:43.394000", "created": "2026-01-21T04:46:43.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a308ae683c590bcbe71", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.973000", "created": "2026-01-21T04:46:40.973000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a3056e76df0e220c4d2", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.172000", "created": "2026-01-21T04:46:40.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68899ae621ead93f10b78da8", "name": "Hacking activities continue to affect multi block communities", "description": "Multi block complex (USA) continues to be affected by hacking and espionage activities. Every time I attempt to pulse a community, pulse is reset and malicious IoC\u2019s disappear. So here\u2019s another heap. #virtool #pws #crypter #ransom #tofsee #remote_activities #adversaries #berbew #hacking #denver_communities #infostealers", "modified": "2025-08-29T03:04:16.203000", "created": "2025-07-30T04:09:10.026000", "tags": [ "url https", "location united", "asn as16509", "et smtp", "message", "high", "et info", "domain", "yara detections", "contacted", "show", "icmp traffic", "irc server", "copy", "malware", "destination", "port", "united", "unknown", "united kingdom", "search", "entries", "write", "next", "google", "cloudflar", "amazon02", "akamaias", "microsoft", "ip address", "as autonomous", "system", "cdn77 dat", "googlecl", "cisco", "umbrella rank", "cisco umbrella", "rank", "date checked", "url hostname", "server response", "google safe", "results may", "present apr", "present may", "files show", "trojan", "error aug", "spain", "win32", "passive dns", "next associated", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "gmt content", "type", "medium", "checks system", "total", "read", "upatre", "dynamicloader", "dynamic", "pcap", "reads", "pe section", "pe file", "mtb jul", "backdoor", "win32upatre jul", "mtb jun", "ipv4 add", "pulse pulses", "fakeav", "downloader", "trojandropper", "win32upatre jun", "urls", "script urls", "showing", "script domains", "meta", "certificate", "next http", "scans show", "hostname add", "pulse submit", "url analysis", "files", "files ip", "address", "hostname", "verdict", "date hash", "avast avg", "vps reverse", "america flag", "overview ip", "whois registrar", "url add", "http", "related nids", "files location", "flag united", "script general", "full url", "present jul", "aaaa", "present jun", "moved", "content length", "content type", "x powered", "date", "mtb may", "mtb sep", "b jan", "mtb jan", "mtb dec", "asn as13335", "creation date", "unknown aaaa", "results jul", "present feb", "present oct", "win32spigot jul", "alfper", "found", "error", "domain add", "enom", "urls show", "address domain", "ip related", "pulses none", "record value", "emails", "name david", "lex name", "city", "country ng", "asn as15169", "pulses", "tags", "all ipv4", "reverse dns", "ashburn", "unknown ns", "llc dba", "name servers", "present jan", "present dec", "service", "ransom", "new pulse", "existing pulse", "files domain", "files related", "body html", "lowfi", "worm", "virtool", "ch ua", "sec ch", "rsa tls", "issuing ca", "mtb apr", "yara rule", "hardwareid", "checks", "vmprotectsdk", "vmprotectstub", "avgetblockcc", "delphi", "vmprotect" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3262, "hostname": 3139, "FileHash-SHA256": 2614, "URL": 3078, "FileHash-MD5": 515, "FileHash-SHA1": 517, "email": 6, "CVE": 1 }, "indicator_count": 13132, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "275 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ee3b7bbdc177d58db15f16", "name": "Geoportal.gov.pl – Geoportal Infrastruktury Informacji Przestrzennej", "description": "Government.gov.com has a new website for people to visit, but what do you want to know about the people who have come and seen it?-.-au-bae?", "modified": "2024-12-17T14:35:35.628000", "created": "2024-09-21T03:20:27.071000", "tags": [ "pzgik", "zarzdzanie", "kryzysowe", "polsce", "baza danych", "gwny urzd", "geodezji i", "lidar", "modele", "pytania i", "android", "office open", "xml document", "dokument office", "open xml", "pl amp", "link", "war g2theme", "script urls", "script script", "httponly set", "cookie", "x3a x2f", "x2e gov", "x2e pl", "meta", "combo", "date", "win32 exe", "win32", "whasz", "oszczdno", "typ pliku", "magia plik", "pe32", "intel", "ms windows", "rar triid", "1 upx1" ], "references": [ "http://geoportal.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 520, "hostname": 207, "domain": 155, "FileHash-MD5": 49, "FileHash-SHA1": 46, "FileHash-SHA256": 362, "email": 2, "IPv4": 10, "CVE": 1 }, "indicator_count": 1352, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666d1488316880c73e04054e", "name": "Prorat.19.i | Backdoor:Win32/Tofsee.T - Amazon.com | iOS | Denver", "description": "Targets family members device attacked while shopping on Amazon.com using an obviously device compromised, newer, fully updated iOS device. \nAmazon legal? [legal-choice.ru, youla.legal, https://www.effectv.com/legal/advertiser-terms-and-conditions]\n[applehealthcare.com apple-rehab.com: Backdoor:Win32/Tofsee.T]\nAdversarial CnC over devices and networks.\nRelentless attacks.", "modified": "2024-07-15T03:03:34.888000", "created": "2024-06-15T04:11:52.737000", "tags": [ "server", "hostmaster", "amazon legal", "dept", "amazon", "street", "stateprovince", "postal code", "view whois", "whois record", "date", "contact", "threat roundup", "november", "march", "december", "february", "october", "january", "highly targeted", "data", "boost mobile", "formbook", "response final", "url https", "ip address", "status code", "body length", "kb body", "sha256", "headers", "ord52c2 via", "cloudfront", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "june", "click", "strings", "error", "tools", "look", "verify", "restart", "unknown", "embeddedwb", "windows", "search", "medium", "united", "show", "whitelisted", "shellexecuteexw", "msie", "tofsee", "service", "write", "win32", "malware", "copy", "a nxdomain", "passive dns", "domain", "scan endpoints", "all scoreblue", "pulse pulses", "urls", "files", "ip related", "process32nextw", "components", "writeconsolew", "copy c", "delete c", "query", "useruin", "delphi", "capture", "install", "prorat", "url http", "http", "related nids", "files location", "regsetvalueexa", "hx88x89", "regbinary", "x95xd3xa4", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "x93xaf", "stream", "persistence", "execution", "creation date", "entries", "as44273 host", "record value", "status", "nxdomain", "content type", "accept", "gmt server", "gmt etag", "accept encoding", "ipv4", "path", "pragma", "name servers", "west domains", "hostname", "next", "asnone germany", "as21499 host", "singapore", "france", "object", "com cnt", "dem fin", "found", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "encrypt", "levelblue", "open threat", "meta", "a div", "div div", "france unknown", "ok server", "type", "seychelles", "whitesky", "as29182 jsc", "showing", "as24940 hetzner", "moved", "expiration date", "aaaa", "russia", "as15169 google", "germany", "emails", "germany unknown", "a domains", "body doctype", "html public", "ietfdtd html", "finland", "asnone iran", "iran", "td tr", "td td", "tbody", "tr tr", "domains", "backdoor", "apple", "radio hacking", "voicestram", "listening", "trojan", "twitter", "servers", "vbs", "data center", "avg clamav", "msdefender sep", "vitro mar", "Win32:Vitro", "target: tsara brashears", "target: brashears personal devices", "target: whitesky communication network", "target: accounting firm devices", "targets: intellectual property", "redrum", "open", "tr tbody", "rsa ca", "apache", "as7922 comcast", "pulse submit", "url analysis", "epss", "impact", "cve cve20178977", "exploits", "targeted", "cve overview", "media" ], "references": [ "Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com", "cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network", "High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall", "Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383", "network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features", "Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports", "Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com", "message.htm.com | Ransomware", "www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN", "htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net", "https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com", "applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com", "Some items found relates to research exploited against or researched by target: disabled_duck", "Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26", "Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae", "Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268", "3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147", "3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot", "3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs", "3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin", "3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn", "3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,", "85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login", "87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ", "87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0", "CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977", "CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882" ], "public": 1, "adversary": "", "targeted_countries": [ "Seychelles", "Netherlands", "France", "United States of America" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win32:BackdoorX-gen\\ [Trj]", "display_name": "Win32:BackdoorX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Tofsee-6840338-0", "display_name": "Win.Trojan.Tofsee-6840338-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/Dursg.K", "display_name": "Trojan:Win32/Dursg.K", "target": "/malware/Trojan:Win32/Dursg.K" }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Downloader-42770", "display_name": "Win.Trojan.Downloader-42770", "target": null }, { "id": "TrojanDownloader:JS/Nemucod.QJ", "display_name": "TrojanDownloader:JS/Nemucod.QJ", "target": "/malware/TrojanDownloader:JS/Nemucod.QJ" }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Kamso", "display_name": "Win32:Kamso", "target": null }, { "id": "Win.Trojan.Magania-13720", "display_name": "Win.Trojan.Magania-13720", "target": null }, { "id": "Win32:Sality", "display_name": "Win32:Sality", "target": null }, { "id": "Win.Trojan.Swisyn-6819", "display_name": "Win.Trojan.Swisyn-6819", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Win.Trojan.Agent-1313630", "display_name": "Win.Trojan.Agent-1313630", "target": null }, { "id": "Crypt_r.BCM", "display_name": "Crypt_r.BCM", "target": null }, { "id": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "display_name": "ALF:AGGR:Exploit:O97M/CVE-2017-11882", "target": null }, { "id": "ALF:Exploit:O97M/CVE-2017-8977", "display_name": "ALF:Exploit:O97M/CVE-2017-8977", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [ "Retail", "Technology", "Telecommunications", "Civil Society", "Online Shopping", "Legal" ], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1965, "hostname": 1378, "domain": 1922, "FileHash-SHA256": 2639, "FileHash-MD5": 386, "FileHash-SHA1": 377, "email": 11, "CVE": 2 }, "indicator_count": 8680, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5461ad2cb2f9e8d342d", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:06.188000", "created": "2024-02-06T22:40:06.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b543bc2adfd3eca5ff2b", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:03.501000", "created": "2024-02-06T22:40:03.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5405e6e9e23324e6d8e", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:00.906000", "created": "2024-02-06T22:40:00.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "http://geoportal.gov.pl", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features", "3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin", "3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn", "Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,", "Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net", "3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot", "youngcoders.ng", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977", "IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports", "https://www.pornhub.com/video/search?search=tsara+brashears", "Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0", "dev-app.project-cicada.com \u2022 project-cicada.com", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11", "applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com", "Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login", "Some items found relates to research exploited against or researched by target: disabled_duck", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "message.htm.com | Ransomware", "CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882", "3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "https://goo.gl/9p2vKq", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network", "api.acumatica.flex.redteam.com", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787", "87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ", "3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs", "3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "Sakula RAT: www.polarroute.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com", "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "IDS Detections Gh0stCringe CnC Activity M2", "Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com", "3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)" ], "malware_families": [ "Win.trojan.agent", "Trojandownloader:win32/upatre.aa", "Backdoor:win32/tofsee.t", "Win32:trojan-gen", "Cymt", "Et", "Win.trojan.tofsee-6840338-0", "Win.packer.pkr_ce1a-9980177-0", "Win32:sality", "Win.trojan.agent-1313630", "Trojandownloader:win32/banload", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojan:win32/dursg.k", "Win.trojan.swisyn-6819", "Crypt_r.bcm", "Win.trojan.downloader-42770", "Sakula rat", "Alf:aggr:exploit:o97m/cve-2017-11882", "Trojandownloader:js/nemucod.qj", "Trojandownloader:win32/cutwail.bs", "Trojandropper:win32/vb.il", "Win32:kamso", "Sakula", "Virtool:win32/obfuscator.k", "Doc.downloader.emotetred02220-9938909-0", "Win32:malob-bx", "Win32:salicode", "Alf:heraklezeval:virtool:win32/waledac!rfn", "Win32:backdoorx-gen\\ [trj]", "Win.trojan.gh0strat-9955419-1", "Alf:exploit:o97m/cve-2017-8977", "Ransom:win32/crowti.a", "Win.trojan.magania-13720" ], "industries": [ "Retail", "Telecommunications", "Civil society", "Technology", "Legal", "Online shopping" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-31T01:17:54.397000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 130626, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45551, "domain": 66446 }, "indicator_count": 111997, "is_author": false, "is_subscribing": null, "subscriber_count": 971, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552997, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a9a77a47c528558c8ef", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:48:26.770000", "created": "2026-01-21T04:48:26.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a66c4042524a1ef26a8", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:34.615000", "created": "2026-01-21T04:47:34.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a57b1aa54d1ca1e9777", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:19.388000", "created": "2026-01-21T04:47:19.388000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a330e5bb8fbd2e958ff", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:43.394000", "created": "2026-01-21T04:46:43.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a308ae683c590bcbe71", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.973000", "created": "2026-01-21T04:46:40.973000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a3056e76df0e220c4d2", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.172000", "created": "2026-01-21T04:46:40.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "plug-tugs.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "plug-tugs.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780247251.2583957 }