{
  "type": "Domain",
  "indicator": "rediffmail.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/rediffmail.com",
    "alexa": "http://www.alexa.com/siteinfo/rediffmail.com",
    "indicator": "rediffmail.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "majestic",
        "message": "Whitelisted domain rediffmail.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 681394,
      "indicator": "rediffmail.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 21,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b76c9a490b69b6a085b3",
          "name": "Exodus/cellbrite clone by Q Vashti",
          "description": "",
          "modified": "2026-03-12T12:54:04.160000",
          "created": "2026-03-12T12:54:04.160000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6916e098df39114161354b23",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4295,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3255,
            "domain": 2911,
            "hostname": 2894,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13986,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 65,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "694f0aa090aedc7e498b2e9a",
          "name": "Qakbot | *NEW  Malware found and analyzed \u2022 IRS",
          "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information.  Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.",
          "modified": "2026-01-25T21:03:27.507000",
          "created": "2025-12-26T22:22:24.480000",
          "tags": [
            "related tags",
            "none google",
            "win32",
            "united",
            "united states",
            "irs",
            "qakbot",
            "qbot",
            "inject",
            "keylogger",
            "botx",
            "active",
            "bot network",
            "et trojan",
            "hello ssl",
            "destination",
            "port",
            "unknown",
            "ciphersuite",
            "sessionid",
            "asnone",
            "write",
            "virustotal",
            "drweb",
            "vipre",
            "mcafee",
            "panda",
            "malware",
            "pandex!gen1",
            "et",
            "brazil as16625",
            "akamai",
            "united kingdom",
            "dynamicloader",
            "medium",
            "tls handshake",
            "failure",
            "yara rule",
            "high",
            "cape",
            "guard",
            "error",
            "delphi",
            "qakbot",
            "tlsv1",
            "entries",
            "iobit unikstall",
            "global",
            "read c",
            "rgba",
            "unicode",
            "memcommit",
            "delete",
            "msie",
            "windows nt",
            "next",
            "dock",
            "execution",
            "server header",
            "download",
            "suspicious",
            "specified",
            "logic",
            "web products",
            "present nov",
            "present dec",
            "present jun",
            "present oct",
            "present may",
            "aaaa",
            "next associated",
            "urls show",
            "scheme",
            "windir",
            "openurl c",
            "prefetch2",
            "analysis",
            "tor analysis",
            "dns requests",
            "domain address",
            "contacted hosts",
            "ip address",
            "ascii text",
            "pattern match",
            "href",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "beginstring",
            "show process",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "iframe",
            "click",
            "strings",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "learn",
            "command",
            "name tactics",
            "informative",
            "adversaries",
            "spawns",
            "defense evasion",
            "t1480 execution",
            "adult content",
            "lol fun hackers"
          ],
          "references": [
            "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
            "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE  Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
            "Pandex!gen1 Web Products",
            "Crypt3.BXVC IDS: Suspicious double Server Header",
            "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
            "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
            "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
            "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
            "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
            "Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
            "Crypt3.BXVC IDS: Abuseat.org Block Message",
            "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
            "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
            "Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
            "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
            "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
            "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Canada",
            "Brazil",
            "Ireland",
            "India",
            "Georgia",
            "Singapore",
            "Spain",
            "Japan"
          ],
          "malware_families": [
            {
              "id": "Inject2.BIVE",
              "display_name": "Inject2.BIVE",
              "target": null
            },
            {
              "id": "Win.Keylogger.Qbot-9987768-0",
              "display_name": "Win.Keylogger.Qbot-9987768-0",
              "target": null
            },
            {
              "id": "Win.Trojan.Qakbot-9988002-1",
              "display_name": "Win.Trojan.Qakbot-9988002-1",
              "target": null
            },
            {
              "id": "Win32:BotX-gen\\ [Trj]",
              "display_name": "Win32:BotX-gen\\ [Trj]",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Pandex!gen1",
              "display_name": "Pandex!gen1",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Web Products",
              "display_name": "Web Products",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            }
          ],
          "industries": [
            "Finance",
            "Government",
            "IRS"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 158,
            "URL": 140,
            "hostname": 287,
            "FileHash-SHA256": 85,
            "FileHash-MD5": 110,
            "FileHash-SHA1": 77,
            "SSLCertFingerprint": 8
          },
          "indicator_count": 865,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "126 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6952febb1dbcf05ee601f050",
          "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)",
          "description": "",
          "modified": "2025-12-29T22:20:43.238000",
          "created": "2025-12-29T22:20:43.238000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65b80a20bbcd0eb305a740ec",
          "export_count": 40780,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "153 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6916e098df39114161354b23",
          "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ",
          "description": "",
          "modified": "2025-12-14T07:05:42.106000",
          "created": "2025-11-14T07:56:08.872000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65a76c2901b34c79a681596d",
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4295,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3255,
            "domain": 2911,
            "hostname": 2894,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13986,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "168 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68f65b43746fb93715eba928",
          "name": "Phishing [201025]",
          "description": "Phishing domains and IP addresses that have been used to send malicious emails.",
          "modified": "2025-11-19T15:01:46.959000",
          "created": "2025-10-20T15:54:43.943000",
          "tags": [
            "m365",
            "money",
            "phishing",
            "spearphishing",
            "azure-blob",
            "malicious-domain",
            "amazon-prime",
            "reward-claim"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United Kingdom of Great Britain and Northern Ireland"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            }
          ],
          "industries": [
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "FS13JKMK",
            "id": "312129",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 105,
            "hostname": 155,
            "email": 7,
            "URL": 278,
            "FileHash-SHA256": 30
          },
          "indicator_count": 575,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 71,
          "modified_text": "193 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68eff0848071708f9ee0c0bd",
          "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3",
          "description": "",
          "modified": "2025-11-14T17:02:12.746000",
          "created": "2025-10-15T19:05:40.466000",
          "tags": [
            "ipv4",
            "email abuse",
            "email info",
            "active related",
            "passive dns",
            "files related",
            "related tags",
            "none google",
            "external",
            "present aug",
            "present sep",
            "present jun",
            "present jul",
            "present oct",
            "ipv4 https",
            "crosscountry",
            "mortgagefamily",
            "port",
            "read c",
            "destination",
            "high",
            "intel",
            "ms windows",
            "stream",
            "explorer",
            "write",
            "malware",
            "united",
            "asnone",
            "et trojan",
            "windows nt",
            "suspicious",
            "win64",
            "zune",
            "et",
            "netherlands",
            "segoe ui",
            "found content",
            "length",
            "content type",
            "ipv4 add",
            "pulse pulses",
            "urls",
            "error",
            "ip address",
            "pulse submit",
            "url analysis",
            "files",
            "domain",
            "ip related",
            "pulses none",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "spawns",
            "command",
            "found",
            "defense evasion",
            "ssl certificate",
            "execution",
            "path",
            "secure",
            "show technique",
            "mitre att",
            "ck matrix",
            "maxage31536000",
            "expirestue",
            "brand",
            "microsoft edge",
            "date",
            "cookie",
            "sha1",
            "ascii text",
            "sha256",
            "pattern match",
            "hybrid",
            "local",
            "click",
            "strings",
            "show process",
            "flag",
            "programfiles",
            "command decode",
            "comspec",
            "model",
            "general",
            "starfield",
            "encrypt",
            "iframe",
            "development att",
            "backdoor",
            "win32",
            "reverse dns",
            "location india",
            "india asn",
            "trojan",
            "mtb win32"
          ],
          "references": [
            "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
            "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
            "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
            "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
            "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
            "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
            "you.are.poor.i.got.trap.money?",
            "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Germany",
            "Romania",
            "South Africa"
          ],
          "malware_families": [
            {
              "id": "BC.Win.Packer.Troll-11",
              "display_name": "BC.Win.Packer.Troll-11",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Crypt3.BOJE",
              "display_name": "Crypt3.BOJE",
              "target": null
            },
            {
              "id": "Crypt3.BXMJ",
              "display_name": "Crypt3.BXMJ",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba.OV!MTB",
              "display_name": "Trojan:Win32/Glupteba.OV!MTB",
              "target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "ProRat",
              "display_name": "ProRat",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Prorat.L",
              "display_name": "Backdoor:Win32/Prorat.L",
              "target": "/malware/Backdoor:Win32/Prorat.L"
            },
            {
              "id": "Win32:Malware-gen",
              "display_name": "Win32:Malware-gen",
              "target": null
            },
            {
              "id": "Win32:Trojan",
              "display_name": "Win32:Trojan",
              "target": null
            },
            {
              "id": "DanaBot",
              "display_name": "DanaBot",
              "target": null
            },
            {
              "id": "Atros3.AHFB",
              "display_name": "Atros3.AHFB",
              "target": null
            },
            {
              "id": "Crypt5.BBYH",
              "display_name": "Crypt5.BBYH",
              "target": null
            },
            {
              "id": "Crypt4.AHSW",
              "display_name": "Crypt4.AHSW",
              "target": null
            },
            {
              "id": "Crypt3.COIZ",
              "display_name": "Crypt3.COIZ",
              "target": null
            },
            {
              "id": "Crypt3.CMTM",
              "display_name": "Crypt3.CMTM",
              "target": null
            },
            {
              "id": "Crypt3.CKTO",
              "display_name": "Crypt3.CKTO",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Crypt3.BXGR",
              "display_name": "Crypt3.BXGR",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Crypt3.BOQD",
              "display_name": "Crypt3.BOQD",
              "target": null
            },
            {
              "id": "Crypt3.BLXP",
              "display_name": "Crypt3.BLXP",
              "target": null
            },
            {
              "id": "Crypt3.BOIU",
              "display_name": "Crypt3.BOIU",
              "target": null
            },
            {
              "id": "Inject2.BHBW",
              "display_name": "Inject2.BHBW",
              "target": null
            },
            {
              "id": "Inject2.BIVE",
              "display_name": "Inject2.BIVE",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            }
          ],
          "industries": [
            "Telecommunications",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": "68efee5ba882db423d3bad8f",
          "export_count": 7,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 10010,
            "FileHash-MD5": 150,
            "FileHash-SHA1": 144,
            "FileHash-SHA256": 2869,
            "domain": 2046,
            "email": 6,
            "hostname": 3705,
            "SSLCertFingerprint": 19
          },
          "indicator_count": 18949,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "198 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68efee5ba882db423d3bad8f",
          "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN  \u2022 Kryptic",
          "description": "",
          "modified": "2025-11-14T17:02:12.746000",
          "created": "2025-10-15T18:56:27.950000",
          "tags": [
            "ipv4",
            "email abuse",
            "email info",
            "active related",
            "passive dns",
            "files related",
            "related tags",
            "none google",
            "external",
            "present aug",
            "present sep",
            "present jun",
            "present jul",
            "present oct",
            "ipv4 https",
            "crosscountry",
            "mortgagefamily",
            "port",
            "read c",
            "destination",
            "high",
            "intel",
            "ms windows",
            "stream",
            "explorer",
            "write",
            "malware",
            "united",
            "asnone",
            "et trojan",
            "windows nt",
            "suspicious",
            "win64",
            "zune",
            "et",
            "netherlands",
            "segoe ui",
            "found content",
            "length",
            "content type",
            "ipv4 add",
            "pulse pulses",
            "urls",
            "error",
            "ip address",
            "pulse submit",
            "url analysis",
            "files",
            "domain",
            "ip related",
            "pulses none",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "spawns",
            "command",
            "found",
            "defense evasion",
            "ssl certificate",
            "execution",
            "path",
            "secure",
            "show technique",
            "mitre att",
            "ck matrix",
            "maxage31536000",
            "expirestue",
            "brand",
            "microsoft edge",
            "date",
            "cookie",
            "sha1",
            "ascii text",
            "sha256",
            "pattern match",
            "hybrid",
            "local",
            "click",
            "strings",
            "show process",
            "flag",
            "programfiles",
            "command decode",
            "comspec",
            "model",
            "general",
            "starfield",
            "encrypt",
            "iframe",
            "development att",
            "backdoor",
            "win32",
            "reverse dns",
            "location india",
            "india asn",
            "trojan",
            "mtb win32"
          ],
          "references": [
            "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
            "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
            "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
            "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
            "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
            "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
            "you.are.poor.i.got.trap.money?",
            "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Germany",
            "Romania",
            "South Africa"
          ],
          "malware_families": [
            {
              "id": "BC.Win.Packer.Troll-11",
              "display_name": "BC.Win.Packer.Troll-11",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Crypt3.BOJE",
              "display_name": "Crypt3.BOJE",
              "target": null
            },
            {
              "id": "Crypt3.BXMJ",
              "display_name": "Crypt3.BXMJ",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba.OV!MTB",
              "display_name": "Trojan:Win32/Glupteba.OV!MTB",
              "target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "ProRat",
              "display_name": "ProRat",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Prorat.L",
              "display_name": "Backdoor:Win32/Prorat.L",
              "target": "/malware/Backdoor:Win32/Prorat.L"
            },
            {
              "id": "Win32:Malware-gen",
              "display_name": "Win32:Malware-gen",
              "target": null
            },
            {
              "id": "Win32:Trojan",
              "display_name": "Win32:Trojan",
              "target": null
            },
            {
              "id": "DanaBot",
              "display_name": "DanaBot",
              "target": null
            },
            {
              "id": "Atros3.AHFB",
              "display_name": "Atros3.AHFB",
              "target": null
            },
            {
              "id": "Crypt5.BBYH",
              "display_name": "Crypt5.BBYH",
              "target": null
            },
            {
              "id": "Crypt4.AHSW",
              "display_name": "Crypt4.AHSW",
              "target": null
            },
            {
              "id": "Crypt3.COIZ",
              "display_name": "Crypt3.COIZ",
              "target": null
            },
            {
              "id": "Crypt3.CMTM",
              "display_name": "Crypt3.CMTM",
              "target": null
            },
            {
              "id": "Crypt3.CKTO",
              "display_name": "Crypt3.CKTO",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Crypt3.BXGR",
              "display_name": "Crypt3.BXGR",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Crypt3.BOQD",
              "display_name": "Crypt3.BOQD",
              "target": null
            },
            {
              "id": "Crypt3.BLXP",
              "display_name": "Crypt3.BLXP",
              "target": null
            },
            {
              "id": "Crypt3.BOIU",
              "display_name": "Crypt3.BOIU",
              "target": null
            },
            {
              "id": "Inject2.BHBW",
              "display_name": "Inject2.BHBW",
              "target": null
            },
            {
              "id": "Inject2.BIVE",
              "display_name": "Inject2.BIVE",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            }
          ],
          "industries": [
            "Telecommunications",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": "68efedf37890e1b32d60eb55",
          "export_count": 7,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 10010,
            "FileHash-MD5": 150,
            "FileHash-SHA1": 144,
            "FileHash-SHA256": 2869,
            "domain": 2046,
            "email": 6,
            "hostname": 3705,
            "SSLCertFingerprint": 19
          },
          "indicator_count": 18949,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "198 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68efedf37890e1b32d60eb55",
          "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me",
          "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]",
          "modified": "2025-11-14T17:02:12.746000",
          "created": "2025-10-15T18:54:43.205000",
          "tags": [
            "ipv4",
            "email abuse",
            "email info",
            "active related",
            "passive dns",
            "files related",
            "related tags",
            "none google",
            "external",
            "present aug",
            "present sep",
            "present jun",
            "present jul",
            "present oct",
            "ipv4 https",
            "crosscountry",
            "mortgagefamily",
            "port",
            "read c",
            "destination",
            "high",
            "intel",
            "ms windows",
            "stream",
            "explorer",
            "write",
            "malware",
            "united",
            "asnone",
            "et trojan",
            "windows nt",
            "suspicious",
            "win64",
            "zune",
            "et",
            "netherlands",
            "segoe ui",
            "found content",
            "length",
            "content type",
            "ipv4 add",
            "pulse pulses",
            "urls",
            "error",
            "ip address",
            "pulse submit",
            "url analysis",
            "files",
            "domain",
            "ip related",
            "pulses none",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "spawns",
            "command",
            "found",
            "defense evasion",
            "ssl certificate",
            "execution",
            "path",
            "secure",
            "show technique",
            "mitre att",
            "ck matrix",
            "maxage31536000",
            "expirestue",
            "brand",
            "microsoft edge",
            "date",
            "cookie",
            "sha1",
            "ascii text",
            "sha256",
            "pattern match",
            "hybrid",
            "local",
            "click",
            "strings",
            "show process",
            "flag",
            "programfiles",
            "command decode",
            "comspec",
            "model",
            "general",
            "starfield",
            "encrypt",
            "iframe",
            "development att",
            "backdoor",
            "win32",
            "reverse dns",
            "location india",
            "india asn",
            "trojan",
            "mtb win32"
          ],
          "references": [
            "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
            "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
            "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
            "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
            "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
            "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
            "you.are.poor.i.got.trap.money?",
            "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Germany",
            "Romania",
            "South Africa"
          ],
          "malware_families": [
            {
              "id": "BC.Win.Packer.Troll-11",
              "display_name": "BC.Win.Packer.Troll-11",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Crypt3.BOJE",
              "display_name": "Crypt3.BOJE",
              "target": null
            },
            {
              "id": "Crypt3.BXMJ",
              "display_name": "Crypt3.BXMJ",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba.OV!MTB",
              "display_name": "Trojan:Win32/Glupteba.OV!MTB",
              "target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "ProRat",
              "display_name": "ProRat",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Prorat.L",
              "display_name": "Backdoor:Win32/Prorat.L",
              "target": "/malware/Backdoor:Win32/Prorat.L"
            },
            {
              "id": "Win32:Malware-gen",
              "display_name": "Win32:Malware-gen",
              "target": null
            },
            {
              "id": "Win32:Trojan",
              "display_name": "Win32:Trojan",
              "target": null
            },
            {
              "id": "DanaBot",
              "display_name": "DanaBot",
              "target": null
            },
            {
              "id": "Atros3.AHFB",
              "display_name": "Atros3.AHFB",
              "target": null
            },
            {
              "id": "Crypt5.BBYH",
              "display_name": "Crypt5.BBYH",
              "target": null
            },
            {
              "id": "Crypt4.AHSW",
              "display_name": "Crypt4.AHSW",
              "target": null
            },
            {
              "id": "Crypt3.COIZ",
              "display_name": "Crypt3.COIZ",
              "target": null
            },
            {
              "id": "Crypt3.CMTM",
              "display_name": "Crypt3.CMTM",
              "target": null
            },
            {
              "id": "Crypt3.CKTO",
              "display_name": "Crypt3.CKTO",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Crypt3.BXGR",
              "display_name": "Crypt3.BXGR",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Crypt3.BOQD",
              "display_name": "Crypt3.BOQD",
              "target": null
            },
            {
              "id": "Crypt3.BLXP",
              "display_name": "Crypt3.BLXP",
              "target": null
            },
            {
              "id": "Crypt3.BOIU",
              "display_name": "Crypt3.BOIU",
              "target": null
            },
            {
              "id": "Inject2.BHBW",
              "display_name": "Inject2.BHBW",
              "target": null
            },
            {
              "id": "Inject2.BIVE",
              "display_name": "Inject2.BIVE",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            }
          ],
          "industries": [
            "Telecommunications",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 8,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 10010,
            "FileHash-MD5": 150,
            "FileHash-SHA1": 144,
            "FileHash-SHA256": 2869,
            "domain": 2046,
            "email": 6,
            "hostname": 3705,
            "SSLCertFingerprint": 19
          },
          "indicator_count": 18949,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 144,
          "modified_text": "198 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "67d145204ffef3c1e0874773",
          "name": "XUSOM (unenriched)",
          "description": "Quick look at XUSOM",
          "modified": "2025-04-11T08:04:20.161000",
          "created": "2025-03-12T08:26:08.661000",
          "tags": [
            "entity",
            "please",
            "javascript",
            "historical ssl",
            "referrer",
            "brrnyaw8 peexe",
            "hd1 bluescsi",
            "hd0 bluescsi",
            "gegkn peexe",
            "letter",
            "hero designer",
            "no meaningful",
            "applefree",
            "condrv text"
          ],
          "references": [
            "https://www.virustotal.com/graph/embed/gb4b60d48558e41e6a7f35bc267b94c247e75f61fcc1b4ca68cc45e49cf626be8?theme=dark",
            "https://www.virustotal.com/gui/collection/6aa3f483cde0f6cd32061b192f75c13358eb90f3a10343feba94d4e44a6c1b74/iocs"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Aruba",
            "United States of America",
            "Canada",
            "Panama",
            "Netherlands"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            }
          ],
          "industries": [
            "Education",
            "Healthcare",
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 11,
            "FileHash-SHA1": 11,
            "FileHash-SHA256": 166,
            "domain": 57,
            "hostname": 146,
            "URL": 8,
            "CVE": 1
          },
          "indicator_count": 400,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 130,
          "modified_text": "415 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66e5f78f4505e0f1ed2b169a",
          "name": "Crypt3.BXVC",
          "description": "",
          "modified": "2024-10-14T20:01:07.396000",
          "created": "2024-09-14T20:52:31.163000",
          "tags": [
            "asnone",
            "as15169",
            "as16417 cisco",
            "as26211",
            "as22843",
            "as36647 oath",
            "as3356 level",
            "as36646 oath",
            "telecom"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Georgia",
            "Canada",
            "Brazil",
            "Ireland",
            "India",
            "Singapore",
            "Spain",
            "Japan",
            "Belgium",
            "South Africa",
            "China",
            "Italy",
            "Aruba",
            "Germany",
            "Ukraine"
          ],
          "malware_families": [
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "WS.Reputation.1",
              "display_name": "WS.Reputation.1",
              "target": null
            },
            {
              "id": "Backdoor.Win32.Hlux.csf",
              "display_name": "Backdoor.Win32.Hlux.csf",
              "target": null
            },
            {
              "id": "Trojan.Downloader.JRJV",
              "display_name": "Trojan.Downloader.JRJV",
              "target": null
            },
            {
              "id": "Trojan.DownLoader12.20457",
              "display_name": "Trojan.DownLoader12.20457",
              "target": null
            },
            {
              "id": "TROJ_SPNV.01B615",
              "display_name": "TROJ_SPNV.01B615",
              "target": null
            },
            {
              "id": "Troj/HkMain-CC",
              "display_name": "Troj/HkMain-CC",
              "target": null
            },
            {
              "id": "Trojan/Win32.Ransom",
              "display_name": "Trojan/Win32.Ransom",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 100,
            "FileHash-SHA1": 100,
            "FileHash-SHA256": 175,
            "domain": 712,
            "hostname": 657,
            "URL": 1
          },
          "indicator_count": 1745,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 186,
          "modified_text": "594 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b80a20bbcd0eb305a740ec",
          "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-29T20:27:12.899000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65a76c2901b34c79a681596d",
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "835 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a77c6a22a236495c4548d6",
          "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.'  PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-17T07:06:18.453000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "remote",
            "malvertizing",
            "spying",
            "cyber stalking"
          ],
          "references": [
            "https://tulach.cc/",
            "go.sabey.com",
            "sabey.com",
            "cellebrite.com",
            "https://cellebrite.com/en/federal-government/  [Pegasus ck privilege collection]",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "remote.aciscomputers.com",
            "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY&region=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
            "114.114.114.114 [Tulach]",
            "nr-data.net [Apple Private Data Collection]",
            "defenselawyernj.com",
            "attorney-marketing-specialists.com ?",
            "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
            "http://www.apple.com/appleca/AppleIncRootCertificate.cer",
            "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
            "https://t.me/hermitspyware/24",
            "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
            "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
            "http://watchhers.net/index.php [remote attackers | malware spreader]",
            "api-stage.pornhub.com",
            "newbrazzers.com [y8.com]",
            "www.videolan.org [info solutions]",
            "www2.blackbagtech.com [hidden users included]",
            "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
            "http://pegasus.diskel.co.uk/ [phishing]",
            "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
            "fds.cellebrite.com",
            "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
            "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
            "http://download.virtualbox.org/virtualbox/debian",
            "match.pegasus.isi.edu",
            "asp.net",
            "http://dropbox.com/ [ intrusions/ dropbox stealer]"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Trojan:Win32/Comspec",
              "display_name": "Trojan:Win32/Comspec",
              "target": "/malware/Trojan:Win32/Comspec"
            },
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1588.004",
              "name": "Digital Certificates",
              "display_name": "T1588.004 - Digital Certificates"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1546.015",
              "name": "Component Object Model Hijacking",
              "display_name": "T1546.015 - Component Object Model Hijacking"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            }
          ],
          "industries": [
            "Individual",
            "Patient",
            "Healthcare",
            "Survivor"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 23,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3157,
            "domain": 2903,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13639,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "835 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a76c2901b34c79a681596d",
          "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following ,  being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-17T05:56:57.948000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 20,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 221,
          "modified_text": "835 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659f1310208a68cf3ec90fd9",
          "name": "Hello Fresh",
          "description": "",
          "modified": "2024-02-09T21:03:15.830000",
          "created": "2024-01-10T21:58:40.811000",
          "tags": [
            "virustotal"
          ],
          "references": [
            "https://www.virustotal.com/graph/g3055abab3907447a84612777d24c2bac1e2c707f74364e8dafe581c35fc051de"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 16,
            "FileHash-SHA1": 16,
            "FileHash-SHA256": 97,
            "URL": 1,
            "domain": 42,
            "hostname": 38
          },
          "indicator_count": 210,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 182,
          "modified_text": "842 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659560d63178b32f07838efb",
          "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|",
          "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering,  spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.",
          "modified": "2024-02-02T12:04:41.638000",
          "created": "2024-01-03T13:27:50.685000",
          "tags": [
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "hostnames",
            "urls https",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "unsafeeval",
            "path",
            "expiressat",
            "auto",
            "wheels online",
            "o tires",
            "shop tires",
            "html info",
            "title shop",
            "tires",
            "meta tags",
            "big o",
            "tires language",
            "name verdict",
            "falcon sandbox",
            "samples",
            "localappdata",
            "json data",
            "temp",
            "getprocaddress",
            "ascii text",
            "windir",
            "file",
            "indicator",
            "mitre att",
            "ck id",
            "factory",
            "hybrid",
            "model",
            "comspec",
            "ssl certificate",
            "whois record",
            "execution",
            "contacted",
            "historical ssl",
            "whois whois",
            "simda http",
            "collections",
            "historical",
            "dropped",
            "backdoor",
            "unknown",
            "united",
            "asnone",
            "show",
            "entries",
            "search",
            "intel",
            "ms windows",
            "pe32",
            "windows nt",
            "copy",
            "write",
            "logic",
            "download",
            "malware",
            "suspicious",
            "next",
            "destination",
            "port",
            "components",
            "globalnpf",
            "china as23724",
            "music",
            "data c",
            "mexico",
            "as15169 google",
            "passive dns",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "win32",
            "united kingdom",
            "explorer",
            "xserver",
            "mtb aug",
            "location united",
            "america asn",
            "open",
            "trojan",
            "worm",
            "dataadobereader",
            "as397240",
            "msie",
            "etpro trojan",
            "virgin islands",
            "script urls",
            "creation date",
            "record value",
            "date",
            "a domains",
            "all search",
            "otx octoseek",
            "url http",
            "http",
            "related nids",
            "pulse http",
            "url https",
            "files location",
            "as20940",
            "aaaa",
            "as2914 ntt",
            "canada unknown",
            "japan unknown",
            "as16625 akamai",
            "domain",
            "hostname",
            "gmt content",
            "gmt report",
            "0 report",
            "sea alt",
            "body",
            "encrypt",
            "social engineering",
            "revenge rat",
            "rat",
            "identity theft",
            "credit card",
            "referrer",
            "communicating",
            "bundled",
            "family",
            "roots",
            "lolkek",
            "tzw variants",
            "quasar rat",
            "dark power",
            "swisyn",
            "wiper",
            "ransomware",
            "cobalt strike",
            "attack",
            "core",
            "emotet",
            "exploit",
            "hacktool",
            "mail spammer",
            "as63949 linode",
            "mtb dec",
            "checkin m1",
            "trojanspy",
            "artro",
            "remote",
            "infostealer"
          ],
          "references": [
            "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Ukraine",
            "Georgia",
            "India",
            "Hong Kong",
            "Canada",
            "China",
            "Indonesia",
            "South Africa",
            "Germany",
            "Slovenia",
            "Mexico",
            "Netherlands",
            "Japan",
            "Spain",
            "Argentina",
            "France",
            "Chile",
            "Italy",
            "Aruba",
            "Switzerland",
            "United Kingdom of Great Britain and Northern Ireland",
            "Denmark",
            "Poland",
            "Colombia",
            "Taiwan",
            "Bulgaria",
            "Austria",
            "Russian Federation",
            "Australia",
            "Philippines",
            "Norway",
            "Sweden"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Comspec",
              "display_name": "Trojan:Win32/Comspec",
              "target": "/malware/Trojan:Win32/Comspec"
            },
            {
              "id": "#Lowfi:SCPT:KiraAsciiObfuscator",
              "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Simda",
              "display_name": "Backdoor:Win32/Simda",
              "target": "/malware/Backdoor:Win32/Simda"
            },
            {
              "id": "Crypt3.BLXP",
              "display_name": "Crypt3.BLXP",
              "target": null
            },
            {
              "id": "PWS:Win32/VB.CU",
              "display_name": "PWS:Win32/VB.CU",
              "target": "/malware/PWS:Win32/VB.CU"
            },
            {
              "id": "Trojan:MSIL/ClipBanker.GB!MTB",
              "display_name": "Trojan:MSIL/ClipBanker.GB!MTB",
              "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB"
            },
            {
              "id": "Virus:Win32/Floxif.H",
              "display_name": "Virus:Win32/Floxif.H",
              "target": "/malware/Virus:Win32/Floxif.H"
            },
            {
              "id": "Win.Packed.Zusy-7170176-0",
              "display_name": "Win.Packed.Zusy-7170176-0",
              "target": null
            },
            {
              "id": "Win.Trojan.Zbot-9880005-0",
              "display_name": "Win.Trojan.Zbot-9880005-0",
              "target": null
            },
            {
              "id": "'Win32:Trojan-gen",
              "display_name": "'Win32:Trojan-gen",
              "target": null
            },
            {
              "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
              "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
              "target": null
            },
            {
              "id": "Worm:Win32/Mofksys.B",
              "display_name": "Worm:Win32/Mofksys.B",
              "target": "/malware/Worm:Win32/Mofksys.B"
            },
            {
              "id": "Worm:Win32/Mofksys.RND!MTB",
              "display_name": "Worm:Win32/Mofksys.RND!MTB",
              "target": "/malware/Worm:Win32/Mofksys.RND!MTB"
            },
            {
              "id": "Worm:LOGO/Logic",
              "display_name": "Worm:LOGO/Logic",
              "target": "/malware/Worm:LOGO/Logic"
            },
            {
              "id": "ETPro Trojan",
              "display_name": "ETPro Trojan",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "TrojanSpy:Win32/Swisyn",
              "display_name": "TrojanSpy:Win32/Swisyn",
              "target": "/malware/TrojanSpy:Win32/Swisyn"
            },
            {
              "id": "Dark Power",
              "display_name": "Dark Power",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1546.015",
              "name": "Component Object Model Hijacking",
              "display_name": "T1546.015 - Component Object Model Hijacking"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            }
          ],
          "industries": [
            "Telecommunications"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 560,
            "FileHash-SHA1": 350,
            "FileHash-SHA256": 4371,
            "URL": 8165,
            "domain": 2548,
            "hostname": 2813,
            "CVE": 4,
            "email": 3
          },
          "indicator_count": 18814,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "849 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6570a7c9f6bf793f823e6398",
          "name": "Qakbot attacks. As strong as before?",
          "description": "",
          "modified": "2023-12-06T16:56:41.266000",
          "created": "2023-12-06T16:56:41.266000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 8,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 1,
            "hostname": 1177,
            "FileHash-SHA256": 2150,
            "domain": 620,
            "URL": 3016,
            "FileHash-MD5": 519,
            "FileHash-SHA1": 292
          },
          "indicator_count": 7775,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "653f1a715b26eb6e3ff58875",
          "name": "Qakbot attacks. As strong as before?",
          "description": "",
          "modified": "2023-11-04T07:02:32.756000",
          "created": "2023-10-30T02:52:33.136000",
          "tags": [
            "blacklist https",
            "rstunf",
            "tad436770",
            "united",
            "anonymizer",
            "mail spammer",
            "malicious host",
            "cyber threat",
            "heur",
            "phishing",
            "malware",
            "team",
            "control server",
            "qakbot",
            "redline stealer",
            "malicious",
            "asyncrat",
            "cobalt strike",
            "download",
            "cisco umbrella",
            "site",
            "safe site",
            "malicious url",
            "paypal",
            "team phishing",
            "detection list",
            "blacklist",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "bank",
            "alexa",
            "blacknet rat",
            "stealer",
            "noname057",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "attack",
            "tsara",
            "tsara brashears",
            "boeing",
            "apple id",
            "samsung",
            "telegrafix",
            "trellian",
            "dumping",
            "fiies shared",
            "browser malware",
            "cyber criminal",
            "cyber crime",
            "brashears",
            "hybrid",
            "analysis"
          ],
          "references": [],
          "public": 1,
          "adversary": "Qakbot",
          "targeted_countries": [
            "United States of America",
            "Japan",
            "Argentina"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "651e79f50ce42abe29702324",
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3016,
            "domain": 620,
            "hostname": 1177,
            "FileHash-MD5": 519,
            "FileHash-SHA1": 292,
            "FileHash-SHA256": 2150,
            "CVE": 1
          },
          "indicator_count": 7775,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 220,
          "modified_text": "939 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "651e79f50ce42abe29702324",
          "name": "Qakbot attacks. As strong as before?",
          "description": "command and control\nRedlinestealer\nQakbot\nNoName057\nAzorult\nBlack Rat\nbrowser malware  \nBanker\nTheft\nPhishing",
          "modified": "2023-11-04T07:02:32.756000",
          "created": "2023-10-05T08:55:16.736000",
          "tags": [
            "blacklist https",
            "rstunf",
            "tad436770",
            "united",
            "anonymizer",
            "mail spammer",
            "malicious host",
            "cyber threat",
            "heur",
            "phishing",
            "malware",
            "team",
            "control server",
            "qakbot",
            "redline stealer",
            "malicious",
            "asyncrat",
            "cobalt strike",
            "download",
            "cisco umbrella",
            "site",
            "safe site",
            "malicious url",
            "paypal",
            "team phishing",
            "detection list",
            "blacklist",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "bank",
            "alexa",
            "blacknet rat",
            "stealer",
            "noname057",
            "ip summary",
            "url summary",
            "summary",
            "sample",
            "samples",
            "attack",
            "tsara",
            "tsara brashears",
            "boeing",
            "apple id",
            "samsung",
            "telegrafix",
            "trellian",
            "dumping",
            "fiies shared",
            "browser malware",
            "cyber criminal",
            "cyber crime",
            "brashears",
            "hybrid",
            "analysis"
          ],
          "references": [],
          "public": 1,
          "adversary": "Qakbot",
          "targeted_countries": [
            "United States of America",
            "Japan",
            "Argentina"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 30,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3016,
            "domain": 620,
            "hostname": 1177,
            "FileHash-MD5": 519,
            "FileHash-SHA1": 292,
            "FileHash-SHA256": 2150,
            "CVE": 1
          },
          "indicator_count": 7775,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 231,
          "modified_text": "939 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64c3af07b73d51dc4bb9efbc",
          "name": "Phrishing and MiSL, at odomou.com",
          "description": "Lots of communicating files, mostly misl amd phishing but also a few other random baddiez.",
          "modified": "2023-09-10T13:02:26.487000",
          "created": "2023-07-28T12:05:27.845000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Hell-On-A-Stick",
            "id": "186907",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 489,
            "FileHash-MD5": 135,
            "FileHash-SHA1": 129,
            "URL": 316,
            "domain": 341,
            "hostname": 219,
            "CVE": 1
          },
          "indicator_count": 1630,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 51,
          "modified_text": "994 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "62511be8b84f68483c610963",
          "name": "Cisco Talos Intelligence Group : Threat Roundup for April 1 to April 8",
          "description": "Security firm Talos has published its latest roundups of malware threats, highlighting the most prevalent and most common threats in the industry. and discussing how customers can be automatically protected from these threats and vulnerabilities.",
          "modified": "2022-05-09T00:00:19.127000",
          "created": "2022-04-09T05:38:48.320000",
          "tags": [
            "upatre",
            "lokibot",
            "tofsee",
            "na stealthwatch",
            "mitre att",
            "json",
            "compromise iocs",
            "registry keys",
            "endpoint secure",
            "occurrences ip",
            "addresses",
            "cloud na",
            "secure malware",
            "april",
            "zusy",
            "rats"
          ],
          "references": [
            "https://blog.talosintelligence.com/2022/04/threat-roundup-0401-0408.html"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Lokibot",
              "display_name": "Lokibot",
              "target": null
            },
            {
              "id": "Upatre",
              "display_name": "Upatre",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [
            "Banking"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "mohdrennis",
            "id": "138092",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 8,
            "CIDR": 3,
            "FileHash-MD5": 21,
            "FileHash-SHA1": 23,
            "FileHash-SHA256": 136,
            "hostname": 23
          },
          "indicator_count": 214,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 356,
          "modified_text": "1484 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
        "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
        "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
        "www.videolan.org [info solutions]",
        "sabey.com",
        "Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
        "www-stage40.pornhub.com",
        "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
        "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY&region=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
        "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
        "https://blog.talosintelligence.com/2022/04/threat-roundup-0401-0408.html",
        "api-stage.pornhub.com",
        "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
        "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
        "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE  Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
        "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
        "114.114.114.114",
        "Pandex!gen1 Web Products",
        "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
        "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
        "work.a-poster.info",
        "hanmail.net",
        "http://pegasus.diskel.co.uk/ [phishing]",
        "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
        "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
        "go.sabey.com",
        "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af",
        "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc",
        "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
        "fds.cellebrite.com",
        "match.pegasus.isi.edu",
        "https://cellebrite.com/en/federal-government/  [Pegasus ck privilege collection]",
        "http://www.apple.com/appleca/AppleIncRootCertificate.cer",
        "https://www.virustotal.com/graph/embed/gb4b60d48558e41e6a7f35bc267b94c247e75f61fcc1b4ca68cc45e49cf626be8?theme=dark",
        "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
        "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
        "Crypt3.BXVC IDS: Abuseat.org Block Message",
        "114.114.114.114 [Tulach]",
        "attorney-marketing-specialists.com ?",
        "https://t.me/hermitspyware/24",
        "http://watchhers.net/index.php [remote attackers | malware spreader]",
        "http://dropbox.com/ [ intrusions/ dropbox stealer]",
        "https://www.virustotal.com/graph/g3055abab3907447a84612777d24c2bac1e2c707f74364e8dafe581c35fc051de",
        "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
        "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
        "cellebrite.com",
        "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
        "http://download.virtualbox.org/virtualbox/debian",
        "https://tulach.cc/",
        "defenselawyernj.com",
        "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
        "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
        "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
        "www2.blackbagtech.com [hidden users included]",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "nr-data.net [Apple Private Data Collection]",
        "asp.net",
        "Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
        "https://twitter.com/PORNO_SEXYBABES",
        "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
        "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
        "https://www.virustotal.com/gui/collection/6aa3f483cde0f6cd32061b192f75c13358eb90f3a10343feba94d4e44a6c1b74/iocs",
        "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
        "newbrazzers.com [y8.com]",
        "Crypt3.BXVC IDS: Suspicious double Server Header",
        "you.are.poor.i.got.trap.money?",
        "remote.aciscomputers.com"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Qakbot"
          ],
          "malware_families": [
            "Trojan/win32.ransom",
            "Kimsuky",
            "Exodus",
            "Trojanspy:win32/swisyn",
            "Ransomware",
            "Trojan:msil/clipbanker.gb!mtb",
            "Crypt3.boqd",
            "#lowfi:scpt:kiraasciiobfuscator",
            "Lolkek",
            "Prorat",
            "Crypt5.bbyh",
            "Atros3.ahfb",
            "Tel:trojandownloader:o97m/msiexecabuse",
            "Worm:win32/mofksys.rnd!mtb",
            "Inject2.bive",
            "Win.keylogger.qbot-9987768-0",
            "Et",
            "Worm:win32/mofksys.b",
            "Bc.win.packer.troll-11",
            "Pandex!gen1",
            "Web products",
            "Crypt3.boje",
            "Backdoor:win32/prorat.l",
            "Backdoor.win32.hlux.csf",
            "Troj/hkmain-cc",
            "Crypt3.bxgr",
            "Crypt4.ahsw",
            "Quasar rat",
            "Inject2.bhbw",
            "Win.trojan.zbot-9880005-0",
            "Win32:botx-gen\\ [trj]",
            "Lokibot",
            "Win.trojan.qakbot-9988002-1",
            "Crypt3.bxmj",
            "Trojan:win32/comspec",
            "Hacktool",
            "Emotet",
            "Etpro trojan",
            "Upatre",
            "Ws.reputation.1",
            "Crypt3.blxp",
            "Trojan:win32/glupteba.ov!mtb",
            "Win32:trojan",
            "Sabey",
            "Danabot",
            "Crypt3.coiz",
            "Cobalt strike",
            "Virtool:win32/tofsee",
            "Backdoor:win32/simda",
            "Pws:win32/vb.cu",
            "Virus:win32/floxif.h",
            "Tulach",
            "Troj_spnv.01b615",
            "Pws:win32/raven",
            "Tofsee",
            "Trojan.downloader12.20457",
            "Win32:malware-gen",
            "Win.packed.zusy-7170176-0",
            "Crypt3.cmtm",
            "Hallrender",
            "Worm:logo/logic",
            "Crypt3.ckto",
            "Dark power",
            "Crypt3.boiu",
            "Crypt3.bxvc",
            "Artro",
            "Trojan.downloader.jrjv",
            "'win32:trojan-gen",
            "Trojanspy"
          ],
          "industries": [
            "Education",
            "Patient",
            "Technology",
            "Survivor",
            "Irs",
            "Banking",
            "Healthcare",
            "Individual",
            "Insurance",
            "Telecommunications",
            "Government",
            "Finance"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 21,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b76c9a490b69b6a085b3",
      "name": "Exodus/cellbrite clone by Q Vashti",
      "description": "",
      "modified": "2026-03-12T12:54:04.160000",
      "created": "2026-03-12T12:54:04.160000",
      "tags": [
        "ssl certificate",
        "network",
        "malware",
        "whois record",
        "contacted",
        "pegasus",
        "resolutions",
        "communicating",
        "sa victim",
        "assaulter",
        "quasar",
        "brian sabey",
        "go.sabey",
        "ioc search",
        "new ioc",
        "teams api",
        "contact",
        "threat analyzer",
        "threat",
        "paste",
        "iocs",
        "urls https",
        "samples",
        "united",
        "aaaa",
        "status",
        "susp",
        "search",
        "passive dns",
        "urls",
        "domain",
        "creation date",
        "date",
        "next",
        "show",
        "domain related",
        "feeds ioc",
        "maltiverse",
        "analyze",
        "scan endpoints",
        "all octoseek",
        "url https",
        "pulse pulses",
        "http",
        "ip address",
        "related nids",
        "files location",
        "all search",
        "otx octoseek",
        "hostname",
        "pulse submit",
        "url analysis",
        "files",
        "china unknown",
        "as4134 chinanet",
        "unknown",
        "name servers",
        "showing",
        "namesilo",
        "domain name",
        "dynadot llc",
        "as8075",
        "script urls",
        "netherlands",
        "a domains",
        "capture",
        "asnone united",
        "record value",
        "expiration date",
        "entries",
        "cname",
        "tulach",
        "algorithm",
        "v3 serial",
        "number",
        "key algorithm",
        "key identifier",
        "subject key",
        "identifier",
        "x509v3 key",
        "usage",
        "x509v3 extended",
        "info",
        "first",
        "server",
        "available from",
        "iana id",
        "registrar abuse",
        "registrar url",
        "registrar whois",
        "abuse contact",
        "email",
        "registry domain",
        "code",
        "win32 exe",
        "ufed iphone",
        "cellebrite ufed",
        "setup",
        "tjprojmain",
        "ufed4pc",
        "win32 dll",
        "detections type",
        "name",
        "responder",
        "exodus",
        "android",
        "office open",
        "xml document",
        "cellebrite",
        "type name",
        "pdf cellebrite",
        "ufed release",
        "cellbrite",
        "privilege https",
        "targets sa",
        "survivor",
        "getprocaddress",
        "indicator",
        "prefetch8",
        "mitre att",
        "ck id",
        "show technique",
        "ck matrix",
        "file",
        "pattern match",
        "observed email",
        "path",
        "factory",
        "hybrid",
        "general",
        "model",
        "comspec",
        "click",
        "title",
        "page",
        "body doctype",
        "quoth",
        "raven",
        "gmt content",
        "type",
        "vary",
        "accept",
        "october",
        "december",
        "copy",
        "execution",
        "awful",
        "referrer",
        "april",
        "kimsuky",
        "malicious",
        "crypto",
        "startpage",
        "hacktool",
        "installer",
        "tofsee",
        "historical ssl",
        "threat roundup",
        "phishing",
        "utc submissions",
        "submitters",
        "csc corporate",
        "domains",
        "twitter",
        "dropbox",
        "incapsula",
        "summary iocs",
        "graph community",
        "registrarsafe",
        "gandi sas",
        "google llc",
        "amazon02",
        "google",
        "akamaias",
        "facebook",
        "service",
        "patch",
        "namecheapnet",
        "cloudflarenet",
        "amazonaes",
        "gmo internet",
        "apple",
        "tsara brashears",
        "keylogger"
      ],
      "references": [
        "https://tulach.cc/",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://twitter.com/PORNO_SEXYBABES",
        "hanmail.net",
        "114.114.114.114",
        "work.a-poster.info",
        "www-stage40.pornhub.com",
        "go.sabey.com",
        "sabey.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Exodus",
          "display_name": "Exodus",
          "target": null
        },
        {
          "id": "Quasar RAT",
          "display_name": "Quasar RAT",
          "target": null
        },
        {
          "id": "PWS:Win32/Raven",
          "display_name": "PWS:Win32/Raven",
          "target": "/malware/PWS:Win32/Raven"
        },
        {
          "id": "Kimsuky",
          "display_name": "Kimsuky",
          "target": null
        },
        {
          "id": "VirTool:Win32/Tofsee",
          "display_name": "VirTool:Win32/Tofsee",
          "target": "/malware/VirTool:Win32/Tofsee"
        }
      ],
      "attack_ids": [
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1588",
          "name": "Obtain Capabilities",
          "display_name": "T1588 - Obtain Capabilities"
        },
        {
          "id": "T1056.001",
          "name": "Keylogging",
          "display_name": "T1056.001 - Keylogging"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "6916e098df39114161354b23",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 4295,
        "FileHash-MD5": 322,
        "FileHash-SHA1": 296,
        "FileHash-SHA256": 3255,
        "domain": 2911,
        "hostname": 2894,
        "CVE": 2,
        "email": 9,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 13986,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 65,
      "modified_text": "80 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "694f0aa090aedc7e498b2e9a",
      "name": "Qakbot | *NEW  Malware found and analyzed \u2022 IRS",
      "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information.  Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.",
      "modified": "2026-01-25T21:03:27.507000",
      "created": "2025-12-26T22:22:24.480000",
      "tags": [
        "related tags",
        "none google",
        "win32",
        "united",
        "united states",
        "irs",
        "qakbot",
        "qbot",
        "inject",
        "keylogger",
        "botx",
        "active",
        "bot network",
        "et trojan",
        "hello ssl",
        "destination",
        "port",
        "unknown",
        "ciphersuite",
        "sessionid",
        "asnone",
        "write",
        "virustotal",
        "drweb",
        "vipre",
        "mcafee",
        "panda",
        "malware",
        "pandex!gen1",
        "et",
        "brazil as16625",
        "akamai",
        "united kingdom",
        "dynamicloader",
        "medium",
        "tls handshake",
        "failure",
        "yara rule",
        "high",
        "cape",
        "guard",
        "error",
        "delphi",
        "qakbot",
        "tlsv1",
        "entries",
        "iobit unikstall",
        "global",
        "read c",
        "rgba",
        "unicode",
        "memcommit",
        "delete",
        "msie",
        "windows nt",
        "next",
        "dock",
        "execution",
        "server header",
        "download",
        "suspicious",
        "specified",
        "logic",
        "web products",
        "present nov",
        "present dec",
        "present jun",
        "present oct",
        "present may",
        "aaaa",
        "next associated",
        "urls show",
        "scheme",
        "windir",
        "openurl c",
        "prefetch2",
        "analysis",
        "tor analysis",
        "dns requests",
        "domain address",
        "contacted hosts",
        "ip address",
        "ascii text",
        "pattern match",
        "href",
        "mitre att",
        "ck id",
        "show technique",
        "ck matrix",
        "beginstring",
        "show process",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "iframe",
        "click",
        "strings",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "learn",
        "command",
        "name tactics",
        "informative",
        "adversaries",
        "spawns",
        "defense evasion",
        "t1480 execution",
        "adult content",
        "lol fun hackers"
      ],
      "references": [
        "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
        "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE  Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
        "Pandex!gen1 Web Products",
        "Crypt3.BXVC IDS: Suspicious double Server Header",
        "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
        "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
        "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
        "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
        "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
        "Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
        "Crypt3.BXVC IDS: Abuseat.org Block Message",
        "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
        "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
        "Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
        "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
        "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
        "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "United Kingdom of Great Britain and Northern Ireland",
        "Canada",
        "Brazil",
        "Ireland",
        "India",
        "Georgia",
        "Singapore",
        "Spain",
        "Japan"
      ],
      "malware_families": [
        {
          "id": "Inject2.BIVE",
          "display_name": "Inject2.BIVE",
          "target": null
        },
        {
          "id": "Win.Keylogger.Qbot-9987768-0",
          "display_name": "Win.Keylogger.Qbot-9987768-0",
          "target": null
        },
        {
          "id": "Win.Trojan.Qakbot-9988002-1",
          "display_name": "Win.Trojan.Qakbot-9988002-1",
          "target": null
        },
        {
          "id": "Win32:BotX-gen\\ [Trj]",
          "display_name": "Win32:BotX-gen\\ [Trj]",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Pandex!gen1",
          "display_name": "Pandex!gen1",
          "target": null
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Web Products",
          "display_name": "Web Products",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        }
      ],
      "industries": [
        "Finance",
        "Government",
        "IRS"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 6,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 158,
        "URL": 140,
        "hostname": 287,
        "FileHash-SHA256": 85,
        "FileHash-MD5": 110,
        "FileHash-SHA1": 77,
        "SSLCertFingerprint": 8
      },
      "indicator_count": 865,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 142,
      "modified_text": "126 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6952febb1dbcf05ee601f050",
      "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)",
      "description": "",
      "modified": "2025-12-29T22:20:43.238000",
      "created": "2025-12-29T22:20:43.238000",
      "tags": [
        "ssl certificate",
        "network",
        "malware",
        "whois record",
        "contacted",
        "pegasus",
        "resolutions",
        "communicating",
        "sa victim",
        "assaulter",
        "quasar",
        "brian sabey",
        "go.sabey",
        "ioc search",
        "new ioc",
        "teams api",
        "contact",
        "threat analyzer",
        "threat",
        "paste",
        "iocs",
        "urls https",
        "samples",
        "united",
        "aaaa",
        "status",
        "susp",
        "search",
        "passive dns",
        "urls",
        "domain",
        "creation date",
        "date",
        "next",
        "show",
        "domain related",
        "feeds ioc",
        "maltiverse",
        "analyze",
        "scan endpoints",
        "all octoseek",
        "url https",
        "pulse pulses",
        "http",
        "ip address",
        "related nids",
        "files location",
        "all search",
        "otx octoseek",
        "hostname",
        "pulse submit",
        "url analysis",
        "files",
        "china unknown",
        "as4134 chinanet",
        "unknown",
        "name servers",
        "showing",
        "namesilo",
        "domain name",
        "dynadot llc",
        "as8075",
        "script urls",
        "netherlands",
        "a domains",
        "capture",
        "asnone united",
        "record value",
        "expiration date",
        "entries",
        "cname",
        "tulach",
        "algorithm",
        "v3 serial",
        "number",
        "key algorithm",
        "key identifier",
        "subject key",
        "identifier",
        "x509v3 key",
        "usage",
        "x509v3 extended",
        "info",
        "first",
        "server",
        "available from",
        "iana id",
        "registrar abuse",
        "registrar url",
        "registrar whois",
        "abuse contact",
        "email",
        "registry domain",
        "code",
        "win32 exe",
        "ufed iphone",
        "cellebrite ufed",
        "setup",
        "tjprojmain",
        "ufed4pc",
        "win32 dll",
        "detections type",
        "name",
        "responder",
        "exodus",
        "android",
        "office open",
        "xml document",
        "cellebrite",
        "type name",
        "pdf cellebrite",
        "ufed release",
        "cellbrite",
        "privilege https",
        "targets sa",
        "survivor",
        "getprocaddress",
        "indicator",
        "prefetch8",
        "mitre att",
        "ck id",
        "show technique",
        "ck matrix",
        "file",
        "pattern match",
        "observed email",
        "path",
        "factory",
        "hybrid",
        "general",
        "model",
        "comspec",
        "click",
        "title",
        "page",
        "body doctype",
        "quoth",
        "raven",
        "gmt content",
        "type",
        "vary",
        "accept",
        "october",
        "december",
        "copy",
        "execution",
        "awful",
        "referrer",
        "april",
        "kimsuky",
        "malicious",
        "crypto",
        "startpage",
        "hacktool",
        "installer",
        "tofsee",
        "historical ssl",
        "threat roundup",
        "phishing",
        "utc submissions",
        "submitters",
        "csc corporate",
        "domains",
        "twitter",
        "dropbox",
        "incapsula",
        "summary iocs",
        "graph community",
        "registrarsafe",
        "gandi sas",
        "google llc",
        "amazon02",
        "google",
        "akamaias",
        "facebook",
        "service",
        "patch",
        "namecheapnet",
        "cloudflarenet",
        "amazonaes",
        "gmo internet",
        "apple",
        "tsara brashears",
        "keylogger"
      ],
      "references": [
        "https://tulach.cc/",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://twitter.com/PORNO_SEXYBABES",
        "hanmail.net",
        "114.114.114.114",
        "work.a-poster.info",
        "www-stage40.pornhub.com",
        "go.sabey.com",
        "sabey.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Exodus",
          "display_name": "Exodus",
          "target": null
        },
        {
          "id": "Quasar RAT",
          "display_name": "Quasar RAT",
          "target": null
        },
        {
          "id": "PWS:Win32/Raven",
          "display_name": "PWS:Win32/Raven",
          "target": "/malware/PWS:Win32/Raven"
        },
        {
          "id": "Kimsuky",
          "display_name": "Kimsuky",
          "target": null
        },
        {
          "id": "VirTool:Win32/Tofsee",
          "display_name": "VirTool:Win32/Tofsee",
          "target": "/malware/VirTool:Win32/Tofsee"
        }
      ],
      "attack_ids": [
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1588",
          "name": "Obtain Capabilities",
          "display_name": "T1588 - Obtain Capabilities"
        },
        {
          "id": "T1056.001",
          "name": "Keylogging",
          "display_name": "T1056.001 - Keylogging"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "65b80a20bbcd0eb305a740ec",
      "export_count": 40780,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 4101,
        "FileHash-MD5": 322,
        "FileHash-SHA1": 296,
        "FileHash-SHA256": 3155,
        "domain": 2894,
        "hostname": 2847,
        "CVE": 2,
        "email": 9,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 13628,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "153 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6916e098df39114161354b23",
      "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ",
      "description": "",
      "modified": "2025-12-14T07:05:42.106000",
      "created": "2025-11-14T07:56:08.872000",
      "tags": [
        "ssl certificate",
        "network",
        "malware",
        "whois record",
        "contacted",
        "pegasus",
        "resolutions",
        "communicating",
        "sa victim",
        "assaulter",
        "quasar",
        "brian sabey",
        "go.sabey",
        "ioc search",
        "new ioc",
        "teams api",
        "contact",
        "threat analyzer",
        "threat",
        "paste",
        "iocs",
        "urls https",
        "samples",
        "united",
        "aaaa",
        "status",
        "susp",
        "search",
        "passive dns",
        "urls",
        "domain",
        "creation date",
        "date",
        "next",
        "show",
        "domain related",
        "feeds ioc",
        "maltiverse",
        "analyze",
        "scan endpoints",
        "all octoseek",
        "url https",
        "pulse pulses",
        "http",
        "ip address",
        "related nids",
        "files location",
        "all search",
        "otx octoseek",
        "hostname",
        "pulse submit",
        "url analysis",
        "files",
        "china unknown",
        "as4134 chinanet",
        "unknown",
        "name servers",
        "showing",
        "namesilo",
        "domain name",
        "dynadot llc",
        "as8075",
        "script urls",
        "netherlands",
        "a domains",
        "capture",
        "asnone united",
        "record value",
        "expiration date",
        "entries",
        "cname",
        "tulach",
        "algorithm",
        "v3 serial",
        "number",
        "key algorithm",
        "key identifier",
        "subject key",
        "identifier",
        "x509v3 key",
        "usage",
        "x509v3 extended",
        "info",
        "first",
        "server",
        "available from",
        "iana id",
        "registrar abuse",
        "registrar url",
        "registrar whois",
        "abuse contact",
        "email",
        "registry domain",
        "code",
        "win32 exe",
        "ufed iphone",
        "cellebrite ufed",
        "setup",
        "tjprojmain",
        "ufed4pc",
        "win32 dll",
        "detections type",
        "name",
        "responder",
        "exodus",
        "android",
        "office open",
        "xml document",
        "cellebrite",
        "type name",
        "pdf cellebrite",
        "ufed release",
        "cellbrite",
        "privilege https",
        "targets sa",
        "survivor",
        "getprocaddress",
        "indicator",
        "prefetch8",
        "mitre att",
        "ck id",
        "show technique",
        "ck matrix",
        "file",
        "pattern match",
        "observed email",
        "path",
        "factory",
        "hybrid",
        "general",
        "model",
        "comspec",
        "click",
        "title",
        "page",
        "body doctype",
        "quoth",
        "raven",
        "gmt content",
        "type",
        "vary",
        "accept",
        "october",
        "december",
        "copy",
        "execution",
        "awful",
        "referrer",
        "april",
        "kimsuky",
        "malicious",
        "crypto",
        "startpage",
        "hacktool",
        "installer",
        "tofsee",
        "historical ssl",
        "threat roundup",
        "phishing",
        "utc submissions",
        "submitters",
        "csc corporate",
        "domains",
        "twitter",
        "dropbox",
        "incapsula",
        "summary iocs",
        "graph community",
        "registrarsafe",
        "gandi sas",
        "google llc",
        "amazon02",
        "google",
        "akamaias",
        "facebook",
        "service",
        "patch",
        "namecheapnet",
        "cloudflarenet",
        "amazonaes",
        "gmo internet",
        "apple",
        "tsara brashears",
        "keylogger"
      ],
      "references": [
        "https://tulach.cc/",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://twitter.com/PORNO_SEXYBABES",
        "hanmail.net",
        "114.114.114.114",
        "work.a-poster.info",
        "www-stage40.pornhub.com",
        "go.sabey.com",
        "sabey.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Exodus",
          "display_name": "Exodus",
          "target": null
        },
        {
          "id": "Quasar RAT",
          "display_name": "Quasar RAT",
          "target": null
        },
        {
          "id": "PWS:Win32/Raven",
          "display_name": "PWS:Win32/Raven",
          "target": "/malware/PWS:Win32/Raven"
        },
        {
          "id": "Kimsuky",
          "display_name": "Kimsuky",
          "target": null
        },
        {
          "id": "VirTool:Win32/Tofsee",
          "display_name": "VirTool:Win32/Tofsee",
          "target": "/malware/VirTool:Win32/Tofsee"
        }
      ],
      "attack_ids": [
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1588",
          "name": "Obtain Capabilities",
          "display_name": "T1588 - Obtain Capabilities"
        },
        {
          "id": "T1056.001",
          "name": "Keylogging",
          "display_name": "T1056.001 - Keylogging"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "65a76c2901b34c79a681596d",
      "export_count": 14,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 4295,
        "FileHash-MD5": 322,
        "FileHash-SHA1": 296,
        "FileHash-SHA256": 3255,
        "domain": 2911,
        "hostname": 2894,
        "CVE": 2,
        "email": 9,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 13986,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "168 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68f65b43746fb93715eba928",
      "name": "Phishing [201025]",
      "description": "Phishing domains and IP addresses that have been used to send malicious emails.",
      "modified": "2025-11-19T15:01:46.959000",
      "created": "2025-10-20T15:54:43.943000",
      "tags": [
        "m365",
        "money",
        "phishing",
        "spearphishing",
        "azure-blob",
        "malicious-domain",
        "amazon-prime",
        "reward-claim"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United Kingdom of Great Britain and Northern Ireland"
      ],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        }
      ],
      "industries": [
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "FS13JKMK",
        "id": "312129",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 105,
        "hostname": 155,
        "email": 7,
        "URL": 278,
        "FileHash-SHA256": 30
      },
      "indicator_count": 575,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 71,
      "modified_text": "193 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68eff0848071708f9ee0c0bd",
      "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3",
      "description": "",
      "modified": "2025-11-14T17:02:12.746000",
      "created": "2025-10-15T19:05:40.466000",
      "tags": [
        "ipv4",
        "email abuse",
        "email info",
        "active related",
        "passive dns",
        "files related",
        "related tags",
        "none google",
        "external",
        "present aug",
        "present sep",
        "present jun",
        "present jul",
        "present oct",
        "ipv4 https",
        "crosscountry",
        "mortgagefamily",
        "port",
        "read c",
        "destination",
        "high",
        "intel",
        "ms windows",
        "stream",
        "explorer",
        "write",
        "malware",
        "united",
        "asnone",
        "et trojan",
        "windows nt",
        "suspicious",
        "win64",
        "zune",
        "et",
        "netherlands",
        "segoe ui",
        "found content",
        "length",
        "content type",
        "ipv4 add",
        "pulse pulses",
        "urls",
        "error",
        "ip address",
        "pulse submit",
        "url analysis",
        "files",
        "domain",
        "ip related",
        "pulses none",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "spawns",
        "command",
        "found",
        "defense evasion",
        "ssl certificate",
        "execution",
        "path",
        "secure",
        "show technique",
        "mitre att",
        "ck matrix",
        "maxage31536000",
        "expirestue",
        "brand",
        "microsoft edge",
        "date",
        "cookie",
        "sha1",
        "ascii text",
        "sha256",
        "pattern match",
        "hybrid",
        "local",
        "click",
        "strings",
        "show process",
        "flag",
        "programfiles",
        "command decode",
        "comspec",
        "model",
        "general",
        "starfield",
        "encrypt",
        "iframe",
        "development att",
        "backdoor",
        "win32",
        "reverse dns",
        "location india",
        "india asn",
        "trojan",
        "mtb win32"
      ],
      "references": [
        "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
        "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
        "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
        "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
        "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
        "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
        "you.are.poor.i.got.trap.money?",
        "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "United Kingdom of Great Britain and Northern Ireland",
        "Germany",
        "Romania",
        "South Africa"
      ],
      "malware_families": [
        {
          "id": "BC.Win.Packer.Troll-11",
          "display_name": "BC.Win.Packer.Troll-11",
          "target": null
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Crypt3.BOJE",
          "display_name": "Crypt3.BOJE",
          "target": null
        },
        {
          "id": "Crypt3.BXMJ",
          "display_name": "Crypt3.BXMJ",
          "target": null
        },
        {
          "id": "Trojan:Win32/Glupteba.OV!MTB",
          "display_name": "Trojan:Win32/Glupteba.OV!MTB",
          "target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
        },
        {
          "id": "Tofsee",
          "display_name": "Tofsee",
          "target": null
        },
        {
          "id": "ProRat",
          "display_name": "ProRat",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Prorat.L",
          "display_name": "Backdoor:Win32/Prorat.L",
          "target": "/malware/Backdoor:Win32/Prorat.L"
        },
        {
          "id": "Win32:Malware-gen",
          "display_name": "Win32:Malware-gen",
          "target": null
        },
        {
          "id": "Win32:Trojan",
          "display_name": "Win32:Trojan",
          "target": null
        },
        {
          "id": "DanaBot",
          "display_name": "DanaBot",
          "target": null
        },
        {
          "id": "Atros3.AHFB",
          "display_name": "Atros3.AHFB",
          "target": null
        },
        {
          "id": "Crypt5.BBYH",
          "display_name": "Crypt5.BBYH",
          "target": null
        },
        {
          "id": "Crypt4.AHSW",
          "display_name": "Crypt4.AHSW",
          "target": null
        },
        {
          "id": "Crypt3.COIZ",
          "display_name": "Crypt3.COIZ",
          "target": null
        },
        {
          "id": "Crypt3.CMTM",
          "display_name": "Crypt3.CMTM",
          "target": null
        },
        {
          "id": "Crypt3.CKTO",
          "display_name": "Crypt3.CKTO",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Crypt3.BXGR",
          "display_name": "Crypt3.BXGR",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Crypt3.BOQD",
          "display_name": "Crypt3.BOQD",
          "target": null
        },
        {
          "id": "Crypt3.BLXP",
          "display_name": "Crypt3.BLXP",
          "target": null
        },
        {
          "id": "Crypt3.BOIU",
          "display_name": "Crypt3.BOIU",
          "target": null
        },
        {
          "id": "Inject2.BHBW",
          "display_name": "Inject2.BHBW",
          "target": null
        },
        {
          "id": "Inject2.BIVE",
          "display_name": "Inject2.BIVE",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        }
      ],
      "industries": [
        "Telecommunications",
        "Insurance"
      ],
      "TLP": "white",
      "cloned_from": "68efee5ba882db423d3bad8f",
      "export_count": 7,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 10010,
        "FileHash-MD5": 150,
        "FileHash-SHA1": 144,
        "FileHash-SHA256": 2869,
        "domain": 2046,
        "email": 6,
        "hostname": 3705,
        "SSLCertFingerprint": 19
      },
      "indicator_count": 18949,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 142,
      "modified_text": "198 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68efee5ba882db423d3bad8f",
      "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN  \u2022 Kryptic",
      "description": "",
      "modified": "2025-11-14T17:02:12.746000",
      "created": "2025-10-15T18:56:27.950000",
      "tags": [
        "ipv4",
        "email abuse",
        "email info",
        "active related",
        "passive dns",
        "files related",
        "related tags",
        "none google",
        "external",
        "present aug",
        "present sep",
        "present jun",
        "present jul",
        "present oct",
        "ipv4 https",
        "crosscountry",
        "mortgagefamily",
        "port",
        "read c",
        "destination",
        "high",
        "intel",
        "ms windows",
        "stream",
        "explorer",
        "write",
        "malware",
        "united",
        "asnone",
        "et trojan",
        "windows nt",
        "suspicious",
        "win64",
        "zune",
        "et",
        "netherlands",
        "segoe ui",
        "found content",
        "length",
        "content type",
        "ipv4 add",
        "pulse pulses",
        "urls",
        "error",
        "ip address",
        "pulse submit",
        "url analysis",
        "files",
        "domain",
        "ip related",
        "pulses none",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "spawns",
        "command",
        "found",
        "defense evasion",
        "ssl certificate",
        "execution",
        "path",
        "secure",
        "show technique",
        "mitre att",
        "ck matrix",
        "maxage31536000",
        "expirestue",
        "brand",
        "microsoft edge",
        "date",
        "cookie",
        "sha1",
        "ascii text",
        "sha256",
        "pattern match",
        "hybrid",
        "local",
        "click",
        "strings",
        "show process",
        "flag",
        "programfiles",
        "command decode",
        "comspec",
        "model",
        "general",
        "starfield",
        "encrypt",
        "iframe",
        "development att",
        "backdoor",
        "win32",
        "reverse dns",
        "location india",
        "india asn",
        "trojan",
        "mtb win32"
      ],
      "references": [
        "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
        "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
        "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
        "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
        "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
        "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
        "you.are.poor.i.got.trap.money?",
        "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "United Kingdom of Great Britain and Northern Ireland",
        "Germany",
        "Romania",
        "South Africa"
      ],
      "malware_families": [
        {
          "id": "BC.Win.Packer.Troll-11",
          "display_name": "BC.Win.Packer.Troll-11",
          "target": null
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Crypt3.BOJE",
          "display_name": "Crypt3.BOJE",
          "target": null
        },
        {
          "id": "Crypt3.BXMJ",
          "display_name": "Crypt3.BXMJ",
          "target": null
        },
        {
          "id": "Trojan:Win32/Glupteba.OV!MTB",
          "display_name": "Trojan:Win32/Glupteba.OV!MTB",
          "target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
        },
        {
          "id": "Tofsee",
          "display_name": "Tofsee",
          "target": null
        },
        {
          "id": "ProRat",
          "display_name": "ProRat",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Prorat.L",
          "display_name": "Backdoor:Win32/Prorat.L",
          "target": "/malware/Backdoor:Win32/Prorat.L"
        },
        {
          "id": "Win32:Malware-gen",
          "display_name": "Win32:Malware-gen",
          "target": null
        },
        {
          "id": "Win32:Trojan",
          "display_name": "Win32:Trojan",
          "target": null
        },
        {
          "id": "DanaBot",
          "display_name": "DanaBot",
          "target": null
        },
        {
          "id": "Atros3.AHFB",
          "display_name": "Atros3.AHFB",
          "target": null
        },
        {
          "id": "Crypt5.BBYH",
          "display_name": "Crypt5.BBYH",
          "target": null
        },
        {
          "id": "Crypt4.AHSW",
          "display_name": "Crypt4.AHSW",
          "target": null
        },
        {
          "id": "Crypt3.COIZ",
          "display_name": "Crypt3.COIZ",
          "target": null
        },
        {
          "id": "Crypt3.CMTM",
          "display_name": "Crypt3.CMTM",
          "target": null
        },
        {
          "id": "Crypt3.CKTO",
          "display_name": "Crypt3.CKTO",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Crypt3.BXGR",
          "display_name": "Crypt3.BXGR",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Crypt3.BOQD",
          "display_name": "Crypt3.BOQD",
          "target": null
        },
        {
          "id": "Crypt3.BLXP",
          "display_name": "Crypt3.BLXP",
          "target": null
        },
        {
          "id": "Crypt3.BOIU",
          "display_name": "Crypt3.BOIU",
          "target": null
        },
        {
          "id": "Inject2.BHBW",
          "display_name": "Inject2.BHBW",
          "target": null
        },
        {
          "id": "Inject2.BIVE",
          "display_name": "Inject2.BIVE",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        }
      ],
      "industries": [
        "Telecommunications",
        "Insurance"
      ],
      "TLP": "white",
      "cloned_from": "68efedf37890e1b32d60eb55",
      "export_count": 7,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 10010,
        "FileHash-MD5": 150,
        "FileHash-SHA1": 144,
        "FileHash-SHA256": 2869,
        "domain": 2046,
        "email": 6,
        "hostname": 3705,
        "SSLCertFingerprint": 19
      },
      "indicator_count": 18949,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 141,
      "modified_text": "198 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68efedf37890e1b32d60eb55",
      "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me",
      "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]",
      "modified": "2025-11-14T17:02:12.746000",
      "created": "2025-10-15T18:54:43.205000",
      "tags": [
        "ipv4",
        "email abuse",
        "email info",
        "active related",
        "passive dns",
        "files related",
        "related tags",
        "none google",
        "external",
        "present aug",
        "present sep",
        "present jun",
        "present jul",
        "present oct",
        "ipv4 https",
        "crosscountry",
        "mortgagefamily",
        "port",
        "read c",
        "destination",
        "high",
        "intel",
        "ms windows",
        "stream",
        "explorer",
        "write",
        "malware",
        "united",
        "asnone",
        "et trojan",
        "windows nt",
        "suspicious",
        "win64",
        "zune",
        "et",
        "netherlands",
        "segoe ui",
        "found content",
        "length",
        "content type",
        "ipv4 add",
        "pulse pulses",
        "urls",
        "error",
        "ip address",
        "pulse submit",
        "url analysis",
        "files",
        "domain",
        "ip related",
        "pulses none",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "spawns",
        "command",
        "found",
        "defense evasion",
        "ssl certificate",
        "execution",
        "path",
        "secure",
        "show technique",
        "mitre att",
        "ck matrix",
        "maxage31536000",
        "expirestue",
        "brand",
        "microsoft edge",
        "date",
        "cookie",
        "sha1",
        "ascii text",
        "sha256",
        "pattern match",
        "hybrid",
        "local",
        "click",
        "strings",
        "show process",
        "flag",
        "programfiles",
        "command decode",
        "comspec",
        "model",
        "general",
        "starfield",
        "encrypt",
        "iframe",
        "development att",
        "backdoor",
        "win32",
        "reverse dns",
        "location india",
        "india asn",
        "trojan",
        "mtb win32"
      ],
      "references": [
        "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
        "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
        "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
        "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
        "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
        "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
        "you.are.poor.i.got.trap.money?",
        "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "United Kingdom of Great Britain and Northern Ireland",
        "Germany",
        "Romania",
        "South Africa"
      ],
      "malware_families": [
        {
          "id": "BC.Win.Packer.Troll-11",
          "display_name": "BC.Win.Packer.Troll-11",
          "target": null
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Crypt3.BOJE",
          "display_name": "Crypt3.BOJE",
          "target": null
        },
        {
          "id": "Crypt3.BXMJ",
          "display_name": "Crypt3.BXMJ",
          "target": null
        },
        {
          "id": "Trojan:Win32/Glupteba.OV!MTB",
          "display_name": "Trojan:Win32/Glupteba.OV!MTB",
          "target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
        },
        {
          "id": "Tofsee",
          "display_name": "Tofsee",
          "target": null
        },
        {
          "id": "ProRat",
          "display_name": "ProRat",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Prorat.L",
          "display_name": "Backdoor:Win32/Prorat.L",
          "target": "/malware/Backdoor:Win32/Prorat.L"
        },
        {
          "id": "Win32:Malware-gen",
          "display_name": "Win32:Malware-gen",
          "target": null
        },
        {
          "id": "Win32:Trojan",
          "display_name": "Win32:Trojan",
          "target": null
        },
        {
          "id": "DanaBot",
          "display_name": "DanaBot",
          "target": null
        },
        {
          "id": "Atros3.AHFB",
          "display_name": "Atros3.AHFB",
          "target": null
        },
        {
          "id": "Crypt5.BBYH",
          "display_name": "Crypt5.BBYH",
          "target": null
        },
        {
          "id": "Crypt4.AHSW",
          "display_name": "Crypt4.AHSW",
          "target": null
        },
        {
          "id": "Crypt3.COIZ",
          "display_name": "Crypt3.COIZ",
          "target": null
        },
        {
          "id": "Crypt3.CMTM",
          "display_name": "Crypt3.CMTM",
          "target": null
        },
        {
          "id": "Crypt3.CKTO",
          "display_name": "Crypt3.CKTO",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Crypt3.BXGR",
          "display_name": "Crypt3.BXGR",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Crypt3.BOQD",
          "display_name": "Crypt3.BOQD",
          "target": null
        },
        {
          "id": "Crypt3.BLXP",
          "display_name": "Crypt3.BLXP",
          "target": null
        },
        {
          "id": "Crypt3.BOIU",
          "display_name": "Crypt3.BOIU",
          "target": null
        },
        {
          "id": "Inject2.BHBW",
          "display_name": "Inject2.BHBW",
          "target": null
        },
        {
          "id": "Inject2.BIVE",
          "display_name": "Inject2.BIVE",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        }
      ],
      "industries": [
        "Telecommunications",
        "Insurance"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 8,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 2,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 10010,
        "FileHash-MD5": 150,
        "FileHash-SHA1": 144,
        "FileHash-SHA256": 2869,
        "domain": 2046,
        "email": 6,
        "hostname": 3705,
        "SSLCertFingerprint": 19
      },
      "indicator_count": 18949,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 144,
      "modified_text": "198 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "67d145204ffef3c1e0874773",
      "name": "XUSOM (unenriched)",
      "description": "Quick look at XUSOM",
      "modified": "2025-04-11T08:04:20.161000",
      "created": "2025-03-12T08:26:08.661000",
      "tags": [
        "entity",
        "please",
        "javascript",
        "historical ssl",
        "referrer",
        "brrnyaw8 peexe",
        "hd1 bluescsi",
        "hd0 bluescsi",
        "gegkn peexe",
        "letter",
        "hero designer",
        "no meaningful",
        "applefree",
        "condrv text"
      ],
      "references": [
        "https://www.virustotal.com/graph/embed/gb4b60d48558e41e6a7f35bc267b94c247e75f61fcc1b4ca68cc45e49cf626be8?theme=dark",
        "https://www.virustotal.com/gui/collection/6aa3f483cde0f6cd32061b192f75c13358eb90f3a10343feba94d4e44a6c1b74/iocs"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Aruba",
        "United States of America",
        "Canada",
        "Panama",
        "Netherlands"
      ],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        }
      ],
      "industries": [
        "Education",
        "Healthcare",
        "Technology"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 4,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 11,
        "FileHash-SHA1": 11,
        "FileHash-SHA256": 166,
        "domain": 57,
        "hostname": 146,
        "URL": 8,
        "CVE": 1
      },
      "indicator_count": 400,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 130,
      "modified_text": "415 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "rediffmail.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "rediffmail.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780274271.6684346
}