{
"type": "Domain",
"indicator": "qraja.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/qraja.com",
"alexa": "http://www.alexa.com/siteinfo/qraja.com",
"indicator": "qraja.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 4008909080,
"indicator": "qraja.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 6,
"pulses": [
{
"id": "694dc80ac6e7fd5474b316a1",
"name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal",
"description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |",
"modified": "2026-01-24T22:05:13.068000",
"created": "2025-12-25T23:26:02.712000",
"tags": [
"hash avast",
"avg clamav",
"msdefender feb",
"url http",
"url https",
"zipcode",
"active related",
"cage01195 dec",
"passports",
"ipv4",
"active",
"irs",
"apple",
"role title",
"indicator role",
"malware attacks",
"find encrypted",
"lumen",
"fastly",
"create c",
"read c",
"delete",
"write",
"default",
"medium",
"rgba",
"dock",
"execution",
"xport",
"united",
"passive dns",
"urls",
"expiration date",
"unknown ns",
"unknown aaaa",
"pulse pulses",
"merit",
"dod network",
"type indicator",
"related pulses",
"name",
"name servers",
"ffffff",
"ip address",
"emails",
"object",
"clsid6bf52a52",
"cookie",
"meta",
"united kingdom",
"germany",
"russia",
"search",
"added active",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"href",
"pattern match",
"ascii text",
"ck id",
"mitre att",
"ck matrix",
"t1071",
"general",
"local",
"path",
"iframe",
"click",
"beginstring",
"segoe ui",
"null",
"refresh",
"span",
"hybrid",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"data upload",
"extraction",
"failed",
"include data",
"entries",
"unicode",
"high",
"memcommit",
"next",
"flag",
"process details",
"path expiresthu",
"moved",
"gmt set",
"domain",
"httponly path",
"encrypt",
"leaseweb",
"iowa",
"title added",
"bad traffic",
"et info",
"tls handshake",
"failure",
"command decode",
"suricata stream",
"circle",
"f5f8fa",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"suricata http",
"windows nt",
"date",
"ips initial",
"prefetch8",
"localappdata",
"prefetch1",
"programfiles",
"edge",
"access att",
"t1566 phishing",
"initial access",
"show process",
"show technique",
"process",
"t1057",
"contacted",
"ck techniques",
"evasion att",
"body",
"report spam",
"apple",
"ddos",
"irs created",
"hours ago",
"white",
"apple user",
"industries",
"government",
"finance",
"trojandropper",
"appleservice",
"mirai",
"trojan",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"alerts",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"file score",
"medium risk",
"copy",
"richhash",
"finding notes",
"clamav malware",
"files matching",
"number",
"sample analysis",
"samples show",
"date hash",
"yara rule",
"msie",
"t1063",
"windows",
"malware",
"detected",
"https domain",
"tls sni",
"markus",
"smartassembly",
"win64",
"exif data",
"present dec",
"status",
"showing",
"show",
"icmp traffic",
"pdb path",
"crlf line",
"mutex",
"ms defender",
"mtb malware",
"hide samples",
"rootkit",
"apple webkit",
"macbook pro",
"apple ios"
],
"references": [
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"http://sissy.com/default - Adult Content",
"https://eliyporasa - Adult Content",
"64.38.232.180 - Adult Content IP",
"www.anyxxxtube.net - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"asp.bet",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Follow up need. This is a serious financial crime following the victims.",
"Victims have lost financial assets, jobs, vehicles",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win.Trojan.Ramnit-1847",
"display_name": "Win.Trojan.Ramnit-1847",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-14",
"display_name": "Win.Trojan.Fenomengame-14",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Adialer",
"display_name": "ALF:JASYP:Trojan:Win32/Adialer",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Financial",
"Government",
"Technology",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 363,
"FileHash-SHA1": 360,
"FileHash-SHA256": 3009,
"URL": 3504,
"domain": 879,
"email": 15,
"hostname": 1487,
"SSLCertFingerprint": 3
},
"indicator_count": 9620,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "694d7d426afd8c1c816ddb9e",
"name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS",
"description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite",
"modified": "2026-01-24T17:05:40.719000",
"created": "2025-12-25T18:06:58.222000",
"tags": [
"united",
"et trojan",
"hello ssl",
"whitelisted",
"unknown",
"ciphersuite",
"sessionid",
"asnone",
"united kingdom",
"show",
"write",
"virustotal",
"drweb",
"vipre",
"mcafee",
"panda",
"malware",
"pandex!gen1",
"et",
"aaaa",
"present sep",
"gmt secure",
"passive dns",
"urls",
"gmt cache",
"service",
"title",
"brazil as16625",
"akamai",
"top source",
"tcp include",
"top destination",
"source source",
"destination",
"port",
"gtmkv978zl",
"utc gzy6fm95cs5",
"utc na",
"utc google",
"analytics na",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"mitre att",
"ck techniques",
"access att",
"bad traffic",
"et info",
"tls handshake",
"failure",
"windir",
"openurl c",
"prefetch2",
"dns requests",
"domain address",
"poland unknown",
"ip address",
"search",
"present oct",
"a domains",
"body head",
"document moved",
"unique",
"maxage86400",
"httponly",
"google safe",
"browsing",
"whois",
"virustotal api",
"screenshots",
"comments",
"pragma",
"data upload",
"extraction",
"type",
"extr",
"delete c",
"writeconsolew",
"windows",
"t1045",
"read c",
"susp",
"dock",
"win64",
"alerts",
"icmp traffic",
"pdb path",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"lumen",
"lumen ip",
"public bgp",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity lpl141",
"handle",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses none",
"related tags",
"status",
"showing",
"domain",
"trojan",
"trojandropper",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"ipv4 add",
"files",
"location united",
"america flag",
"america asn",
"nethandle",
"net4",
"net40000",
"lpl141",
"llc orgid",
"city",
"la postalcode",
"dynamicloader",
"write c",
"medium",
"named pipe",
"yara rule",
"high",
"ms windows",
"encrypt",
"pegasus",
"markus",
"smartassembly",
"next",
"msie",
"t1063",
"windows nt",
"fastly",
"foundry",
"palantir",
"bgp",
"webkit bugzilla",
"record value",
"content type",
"bugzilla",
"meta",
"present nov",
"entries",
"atom",
"apple",
"chrome",
"moved",
"apple center",
"gmt content",
"name servers",
"servers",
"expiration date",
"pulse submit",
"url analysis",
"date",
"apple server",
"apple dns",
"asp.bet",
"data collection",
"bgp ip",
"lumen control",
"lumen admin",
"level 3",
"ipv4",
"reverse dns",
"found",
"hostname add",
"present jul",
"present jun",
"belize",
"unknown ns",
"present aug",
"domain add",
"creation date",
"failed",
"enter sc",
"extra data",
"include",
"review exclude",
"america united",
"dns resolutions",
"linuxgafgyt feb"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Canada"
],
"malware_families": [
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win3",
"display_name": "ALF:JASYP:Trojan:Win3",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0",
"display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Government",
"Finance",
"Telecommunications",
"Technology",
"Civil Society",
"IRS"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4187,
"hostname": 1574,
"FileHash-SHA256": 2387,
"FileHash-MD5": 189,
"FileHash-SHA1": 161,
"domain": 800,
"CVE": 1,
"email": 13,
"CIDR": 1,
"SSLCertFingerprint": 4
},
"indicator_count": 9317,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d0b00b7ccb342031594e77",
"name": "OTX Generated with strange commentary as always",
"description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |",
"modified": "2025-10-22T02:00:03.967000",
"created": "2025-09-22T02:10:19.819000",
"tags": [
"expiration",
"url http",
"hall render",
"possible deep",
"https",
"deep panda",
"brian sabey",
"tsara brashears",
"panda",
"post",
"virtool",
"service",
"fraud",
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"claim reversal",
"view",
"fieldlastname",
"filehashmd5",
"filehashsha1",
"domain",
"hostname",
"virgin islands",
"united",
"canada",
"ireland",
"writeconsolea",
"regsetvalueexa",
"regdword",
"module load",
"t1129",
"show",
"micromedia",
"write",
"markus",
"april",
"win32",
"lost",
"malware",
"copy",
"c2 activity",
"cnc ids",
"beacon",
"server",
"domain status",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"date",
"registrar abuse",
"registrar",
"data",
"ipv4",
"returnurl",
"masquerade task",
"t1448",
"carrier billing",
"fraud endpoint",
"security scan",
"iocs",
"learn more",
"relationship",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob",
"t1060",
"scan",
"entries",
"healthcare",
"legal",
"families",
"sakurel",
"formbook att",
"ck ids",
"t1199",
"render",
"brian",
"sabey",
"fieldssn",
"elqaid16867",
"elqat1",
"elqcst272",
"formbookatt",
"white insane",
"law firm",
"run keys",
"ta0011",
"command",
"control",
"t1410",
"redirection",
"medium",
"windows",
"high",
"yara detections",
"backdoor",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [
"Healthcare",
"Legal",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2189,
"FileHash-MD5": 469,
"FileHash-SHA1": 447,
"FileHash-SHA256": 2446,
"domain": 465,
"hostname": 1224,
"email": 15
},
"indicator_count": 7255,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "221 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686b074599cb3cfbd5813614",
"name": "TikTok - Win32:RansomX-gen [Ransom]",
"description": "#ransom/lockfile.mk #trojan #zombie#ransom #malicious #malware #malicious #intel #apple #ios #ai #malware",
"modified": "2025-08-05T23:03:23.051000",
"created": "2025-07-06T23:31:17.865000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 803,
"domain": 246,
"FileHash-SHA256": 1979,
"FileHash-MD5": 31,
"URL": 1664,
"FileHash-SHA1": 34,
"CIDR": 3,
"email": 3,
"CVE": 2
},
"indicator_count": 4765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"Follow up need. This is a serious financial crime following the victims.",
"If someone is believed to be a threat they have right to due process.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"https://eliyporasa - Adult Content",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"There is fear in silence or speaking out",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Target agreed and complied with all lie detector measures.",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://meumundogay-com.sexogratis.page/locker",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"asp.bet",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"I am very upset. Whoever is doing this is sick.",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"64.38.232.180 - Adult Content IP",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"Can the DoD no questions asked target a SA victim",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"www.anyxxxtube.net - Adult Content",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"iamrobert.com Y.A.S.",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome",
"https://es.pornhat.com/models/the-sex-creator/",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"www.anyxxxtube.net - Adult Content IP",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"Victims have lost financial assets, jobs, vehicles",
"http://sissy.com/default - Adult Content"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Alf:jasyp:trojan:win32/adialer",
"Alf:jasyp:trojan:win32/ircbot!atmn",
"Win.trojan.fenomengame-8",
"Alf:jasyp:trojan:win3",
"Unix.trojan.gafgyt-6981154-0",
"Mirai sim swap",
"Apnic",
"Pandex!gen1",
"Elf:ddos-s\\ [trj]\t\tunix.trojan.gafgyt-6981154-0",
"Trojandropper:win32/muldrop",
"Unknown malware \u2018can't access file\u2019",
"Lumen ip",
"Mirai",
"Win.malware.msilperseus-6989564-0",
"Win.trojan.ramnit-1847",
"Win.trojan.fenomengame-14",
"Appleservice",
"Et",
"Malware",
"Elf:ddos-s\\ [trj]"
],
"industries": [
"Finance",
"Financial",
"Government",
"Healthcare",
"Legal",
"Irs",
"Telecommunications",
"Technology",
"Civil society"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 6,
"pulses": [
{
"id": "694dc80ac6e7fd5474b316a1",
"name": "Malicious DDOS attacks targeting Brand New 2025 | Updated Apple Products affecting IRS payment portal",
"description": "Malicious actors continue to target certain users attempting to pay the IRS. Victim is redirected to : http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan after typing in IRS.gov (w/ secure header \u2018https\u2019 )\nOnce information is input it is payment is rejected, levy against bank accounts and assets and other threats. There is social engineering as one victim is communicating with someone allegedly from the IRS? \nAlthough malicious entities contacted , malicious behavior continues. Adversaries in the Middle attack. US hacker group. Denver, Iowa, Arizona, NY and abroad. \n\n*Targets: https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main |",
"modified": "2026-01-24T22:05:13.068000",
"created": "2025-12-25T23:26:02.712000",
"tags": [
"hash avast",
"avg clamav",
"msdefender feb",
"url http",
"url https",
"zipcode",
"active related",
"cage01195 dec",
"passports",
"ipv4",
"active",
"irs",
"apple",
"role title",
"indicator role",
"malware attacks",
"find encrypted",
"lumen",
"fastly",
"create c",
"read c",
"delete",
"write",
"default",
"medium",
"rgba",
"dock",
"execution",
"xport",
"united",
"passive dns",
"urls",
"expiration date",
"unknown ns",
"unknown aaaa",
"pulse pulses",
"merit",
"dod network",
"type indicator",
"related pulses",
"name",
"name servers",
"ffffff",
"ip address",
"emails",
"object",
"clsid6bf52a52",
"cookie",
"meta",
"united kingdom",
"germany",
"russia",
"search",
"added active",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"href",
"pattern match",
"ascii text",
"ck id",
"mitre att",
"ck matrix",
"t1071",
"general",
"local",
"path",
"iframe",
"click",
"beginstring",
"segoe ui",
"null",
"refresh",
"span",
"hybrid",
"strings",
"error",
"tools",
"title",
"look",
"verify",
"restart",
"data upload",
"extraction",
"failed",
"include data",
"entries",
"unicode",
"high",
"memcommit",
"next",
"flag",
"process details",
"path expiresthu",
"moved",
"gmt set",
"domain",
"httponly path",
"encrypt",
"leaseweb",
"iowa",
"title added",
"bad traffic",
"et info",
"tls handshake",
"failure",
"command decode",
"suricata stream",
"circle",
"f5f8fa",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"development att",
"suricata http",
"windows nt",
"date",
"ips initial",
"prefetch8",
"localappdata",
"prefetch1",
"programfiles",
"edge",
"access att",
"t1566 phishing",
"initial access",
"show process",
"show technique",
"process",
"t1057",
"contacted",
"ck techniques",
"evasion att",
"body",
"report spam",
"apple",
"ddos",
"irs created",
"hours ago",
"white",
"apple user",
"industries",
"government",
"finance",
"trojandropper",
"appleservice",
"mirai",
"trojan",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"alerts",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"analysis date",
"file score",
"medium risk",
"copy",
"richhash",
"finding notes",
"clamav malware",
"files matching",
"number",
"sample analysis",
"samples show",
"date hash",
"yara rule",
"msie",
"t1063",
"windows",
"malware",
"detected",
"https domain",
"tls sni",
"markus",
"smartassembly",
"win64",
"exif data",
"present dec",
"status",
"showing",
"show",
"icmp traffic",
"pdb path",
"crlf line",
"mutex",
"ms defender",
"mtb malware",
"hide samples",
"rootkit",
"apple webkit",
"macbook pro",
"apple ios"
],
"references": [
"sa.www4.irs.gov \u2022 sa1.www4.irs.gov \u2022 sa2.www4.irs.gov \u2022 apps.irs.gov \u2022 freetaxassistance.for.irs.gov \u2022 home.treasury.gov \u2022",
"132.3.48.38 \u2022 Description: CC=US ASN=AS721 dod network information center",
"154.35.132.70\t\u2022 Description: CC=US ASN=AS14987 rethem hosting llc",
"165.206.254.134 \u2022 Description: CC=US ASN=AS6122",
"192.85.127.130 \u2022 Description: CC=US ASN=AS2173 hewlett-packard company",
"195.128.76.205 \u2022 Description: CC=RU ASN=AS8470 jsc macomnet",
"205.181.242.243 \u2022 Description: CC=US ASN=AS3738 state street bank and trust company",
"207.75.164.17 \u2022 Description: CC=US ASN=AS237 merit network",
"207.75.164.210 \u2022 Description: CC=US ASN=AS237 merit network",
"214.25.9.149 \u2022 Description: CC=US ASN=AS344 dod network information center",
"216.252.199.59 \u2022 Description: CC=US ASN=AS31827 biz net technologies",
"78.46.218.253 \u2022 Description: CC=DE ASN=AS24940 hetzner online gmbh",
"95.211.7.168 \u2022Description: CC=NL ASN=AS60781 leaseweb netherlands b.v.",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears - Adult Content",
"https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ - Adult Content",
"http://www.anyxxxtube.net/search-porn/ - Adult Content",
"https://eliyporasa.life/uelbu/5/151504-harleyxwest-porn - Adult Content",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net - Adult Content",
"https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io\t- Adult Content",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io - Adult Content",
"http://sissy.com/default - Adult Content",
"https://eliyporasa - Adult Content",
"64.38.232.180 - Adult Content IP",
"www.anyxxxtube.net - Adult Content",
"www.anyxxxtube.net - Adult Content IP",
"http://www.iranianporn.com/ \u2022 iranianporn.com - Adult Content",
"http://www.italianporn.com/ \u2022 italianporn.com - Adult Content IP",
"jamaicansex.com \u2022 onlinesexmags.com \u2022 sexbible.com \u2022 bestsex.com - Adult Content IP",
"https://www.anyxxxtube.net/video/2241/big-titted-sexy-chick-august-ames/ - Adult Content IP",
"http://geometry.ru/articles/blinkovsexcircle.pdf- Adult Content IP",
"http://www.onlinesexmags.com/members/gent/current/ - Adult Content IP",
"http://sissy.com/default.php?qry=xinb0NVH3vxGQfarWy4r54j5FWwjyNsIfAXqPpjmSCTYnrY20orAEt5QcaKNVYpHM3.AFndEsyGlSb_SXAGpMTdue0rkjANJ3fQ0wH3yzmI9qKCDJp39iCno_V.ci7VYf_I4t_Y2ibuGhE_rlOAs3FGeaahClLHQmyX30MRH5AfpY6B5N9LDoau6dxnMaf3qGZEX_xCRYTdVAigxUMX2qRyl16DvSb9DohTpdet4E_v0QjzIjDwGGS4PYEDpjmzIeKlCSItsv09pHL84QDb6V_fvuFw0jX8tfoI8VQmpnaeudPhO0nDmV3c5G7HjNNcF&tgt=NO+TOKEN&searchKey=free+porn&wp=1&skp=3_2402 - Adult Content IP",
"httpssa.www4.irs.gov \u2022 jobs.irs.gov \u2022 https://sa.www4.irs.gov/ \u2022 https://sa.www4.irs.gov \u2022 www.directfile.irs.gov \u2022",
"http://sa.www4.irs.gov/ola/payment_options/create_long_term_plan \u2022 www4.irs.gov \u2022 www.drupal.org",
"asp.bet",
"apple.co \u2022 apple.com \u2022 apple.info \u2022 apple.net",
"https://www.freeiconspng.com/thumbs/icloud-logo/icloud-drive-mac-mail-cloud-apple-pc-works-c",
"https://build.webkit.org/results/Apple-Sequoia-Safer-CPP-Checks/301548@main",
"http://usw2.apple.com/ \u2022 https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"applefilmmaker.com \u2022 appleid.com \u2022 appleiservices.com",
"jobs.lumen.com \u2022 lumen.com \u2022 msradc.lumen.com \u2022 voip.lumen.com \u2022 www.lumen.com",
"https://otx.alienvault.com/pulse/694d7d426afd8c1c816ddb9e",
"Information gathered equals 2 pulses. Pulse (1) included",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d/694d9e6a07ba5e76e203a672",
"https://hybrid-analysis.com/sample/ec4a41028de0fb099e6f14c8507ba98d2215872688a955db015ca2dafc2baa3d",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"https://hybrid-analysis.com/sample/d9a2ab3260e7202336bef383bd97b323c616e0857623a30339ef285058a16ca3/694d9a33a2febcb826005ed5",
"https://hybrid-analysis.com/sample/270e6924ee7b824b615813b00654f282accd5c649920f143e4f1c47862de4676",
"Follow up need. This is a serious financial crime following the victims.",
"Victims have lost financial assets, jobs, vehicles",
"Persistent. Is Christopher P. Ahmann, Brian Sabey, State of Colorado",
"After an attack a different victim had awe , tax refund seized, Insurance became Medicaid, Was audited by the IRs and there was attempts on life w/ bad outcome"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Win.Trojan.Ramnit-1847",
"display_name": "Win.Trojan.Ramnit-1847",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-14",
"display_name": "Win.Trojan.Fenomengame-14",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/Adialer",
"display_name": "ALF:JASYP:Trojan:Win32/Adialer",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
}
],
"industries": [
"Financial",
"Government",
"Technology",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 363,
"FileHash-SHA1": 360,
"FileHash-SHA256": 3009,
"URL": 3504,
"domain": 879,
"email": 15,
"hostname": 1487,
"SSLCertFingerprint": 3
},
"indicator_count": 9620,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "694d7d426afd8c1c816ddb9e",
"name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS",
"description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite",
"modified": "2026-01-24T17:05:40.719000",
"created": "2025-12-25T18:06:58.222000",
"tags": [
"united",
"et trojan",
"hello ssl",
"whitelisted",
"unknown",
"ciphersuite",
"sessionid",
"asnone",
"united kingdom",
"show",
"write",
"virustotal",
"drweb",
"vipre",
"mcafee",
"panda",
"malware",
"pandex!gen1",
"et",
"aaaa",
"present sep",
"gmt secure",
"passive dns",
"urls",
"gmt cache",
"service",
"title",
"brazil as16625",
"akamai",
"top source",
"tcp include",
"top destination",
"source source",
"destination",
"port",
"gtmkv978zl",
"utc gzy6fm95cs5",
"utc na",
"utc google",
"analytics na",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"mitre att",
"ck techniques",
"access att",
"bad traffic",
"et info",
"tls handshake",
"failure",
"windir",
"openurl c",
"prefetch2",
"dns requests",
"domain address",
"poland unknown",
"ip address",
"search",
"present oct",
"a domains",
"body head",
"document moved",
"unique",
"maxage86400",
"httponly",
"google safe",
"browsing",
"whois",
"virustotal api",
"screenshots",
"comments",
"pragma",
"data upload",
"extraction",
"type",
"extr",
"delete c",
"writeconsolew",
"windows",
"t1045",
"read c",
"susp",
"dock",
"win64",
"alerts",
"icmp traffic",
"pdb path",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"lumen",
"lumen ip",
"public bgp",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity lpl141",
"handle",
"url add",
"http",
"hostname",
"files domain",
"files related",
"pulses none",
"related tags",
"status",
"showing",
"domain",
"trojan",
"trojandropper",
"next associated",
"fastly error",
"please",
"sea p",
"mozilla",
"accept",
"ipv4 add",
"files",
"location united",
"america flag",
"america asn",
"nethandle",
"net4",
"net40000",
"lpl141",
"llc orgid",
"city",
"la postalcode",
"dynamicloader",
"write c",
"medium",
"named pipe",
"yara rule",
"high",
"ms windows",
"encrypt",
"pegasus",
"markus",
"smartassembly",
"next",
"msie",
"t1063",
"windows nt",
"fastly",
"foundry",
"palantir",
"bgp",
"webkit bugzilla",
"record value",
"content type",
"bugzilla",
"meta",
"present nov",
"entries",
"atom",
"apple",
"chrome",
"moved",
"apple center",
"gmt content",
"name servers",
"servers",
"expiration date",
"pulse submit",
"url analysis",
"date",
"apple server",
"apple dns",
"asp.bet",
"data collection",
"bgp ip",
"lumen control",
"lumen admin",
"level 3",
"ipv4",
"reverse dns",
"found",
"hostname add",
"present jul",
"present jun",
"belize",
"unknown ns",
"present aug",
"domain add",
"creation date",
"failed",
"enter sc",
"extra data",
"include",
"review exclude",
"america united",
"dns resolutions",
"linuxgafgyt feb"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Canada"
],
"malware_families": [
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Lumen IP",
"display_name": "Lumen IP",
"target": null
},
{
"id": "Win.Malware.Msilperseus-6989564-0",
"display_name": "Win.Malware.Msilperseus-6989564-0",
"target": null
},
{
"id": "Unknown Malware \u2018Can't access file\u2019",
"display_name": "Unknown Malware \u2018Can't access file\u2019",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Win.Trojan.Fenomengame-8",
"display_name": "Win.Trojan.Fenomengame-8",
"target": null
},
{
"id": "ALF:JASYP:Trojan:Win3",
"display_name": "ALF:JASYP:Trojan:Win3",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "Appleservice",
"display_name": "Appleservice",
"target": null
},
{
"id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0",
"display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Mirai Sim Swap",
"display_name": "Mirai Sim Swap",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Government",
"Finance",
"Telecommunications",
"Technology",
"Civil Society",
"IRS"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4187,
"hostname": 1574,
"FileHash-SHA256": 2387,
"FileHash-MD5": 189,
"FileHash-SHA1": 161,
"domain": 800,
"CVE": 1,
"email": 13,
"CIDR": 1,
"SSLCertFingerprint": 4
},
"indicator_count": 9317,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "126 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d0b00b7ccb342031594e77",
"name": "OTX Generated with strange commentary as always",
"description": "OTX Auto populated-> Yara Yara, a 27-year-old woman from New York, has found that a law firm allegedly controlled Tsara Brashears' life and healthcare plan under the guise of being a Medicare United Healthcare plan. |",
"modified": "2025-10-22T02:00:03.967000",
"created": "2025-09-22T02:10:19.819000",
"tags": [
"expiration",
"url http",
"hall render",
"possible deep",
"https",
"deep panda",
"brian sabey",
"tsara brashears",
"panda",
"post",
"virtool",
"service",
"fraud",
"url https",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"claim reversal",
"view",
"fieldlastname",
"filehashmd5",
"filehashsha1",
"domain",
"hostname",
"virgin islands",
"united",
"canada",
"ireland",
"writeconsolea",
"regsetvalueexa",
"regdword",
"module load",
"t1129",
"show",
"micromedia",
"write",
"markus",
"april",
"win32",
"lost",
"malware",
"copy",
"c2 activity",
"cnc ids",
"beacon",
"server",
"domain status",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"date",
"registrar abuse",
"registrar",
"data",
"ipv4",
"returnurl",
"masquerade task",
"t1448",
"carrier billing",
"fraud endpoint",
"security scan",
"iocs",
"learn more",
"relationship",
"t1040",
"sniffing",
"t1045",
"packing",
"t1053",
"taskjob",
"t1060",
"scan",
"entries",
"healthcare",
"legal",
"families",
"sakurel",
"formbook att",
"ck ids",
"t1199",
"render",
"brian",
"sabey",
"fieldssn",
"elqaid16867",
"elqat1",
"elqcst272",
"formbookatt",
"white insane",
"law firm",
"run keys",
"ta0011",
"command",
"control",
"t1410",
"redirection",
"medium",
"windows",
"high",
"yara detections",
"backdoor",
"showing"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1448",
"name": "Carrier Billing Fraud",
"display_name": "T1448 - Carrier Billing Fraud"
}
],
"industries": [
"Healthcare",
"Legal",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2189,
"FileHash-MD5": 469,
"FileHash-SHA1": 447,
"FileHash-SHA256": 2446,
"domain": 465,
"hostname": 1224,
"email": 15
},
"indicator_count": 7255,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "221 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686b074599cb3cfbd5813614",
"name": "TikTok - Win32:RansomX-gen [Ransom]",
"description": "#ransom/lockfile.mk #trojan #zombie#ransom #malicious #malware #malicious #intel #apple #ios #ai #malware",
"modified": "2025-08-05T23:03:23.051000",
"created": "2025-07-06T23:31:17.865000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 803,
"domain": 246,
"FileHash-SHA256": 1979,
"FileHash-MD5": 31,
"URL": 1664,
"FileHash-SHA1": 34,
"CIDR": 3,
"email": 3,
"CVE": 2
},
"indicator_count": 4765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "298 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "qraja.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "qraja.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780242490.8012397
}