{ "type": "Domain", "indicator": "regtons.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/regtons.com", "alexa": "http://www.alexa.com/siteinfo/regtons.com", "indicator": "regtons.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2210082589, "indicator": "regtons.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b79f2b00d481ced26e41b4", "name": "Hexadecimal Output 41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29", "description": "A chronology of key events:-1.5m-2.4m.1m (1,935,000 sq ft) - the full text of the following:. <- ((((((This pretext carries weight in my mind. It may not actually. So I decided from now on im breaking every one into Hexadecimal Output:\n41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29 and adding them. This was the output I found written above. You can do this easily with an internet scan.", "modified": "2026-04-15T06:19:53.075000", "created": "2026-03-16T06:11:55.097000", "tags": [ "name servers", "as13335", "united", "moved", "creation date", "servers", "status", "expiration date", "date", "aaaa", "unknown", "title", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "URL": 11, "domain": 3, "email": 2, "hostname": 11, "FileHash-SHA256": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b79f2c22735c199c0cb830", "name": "Hexadecimal Output 41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29", "description": "A chronology of key events:-1.5m-2.4m.1m (1,935,000 sq ft) - the full text of the following:. <- ((((((This pretext carries weight in my mind. It may not actually. So I decided from now on im breaking every one into Hexadecimal Output:\n41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29 and adding them. This was the output I found written above. You can do this easily with an internet scan.", "modified": "2026-04-15T06:19:53.075000", "created": "2026-03-16T06:11:56.025000", "tags": [ "name servers", "as13335", "united", "moved", "creation date", "servers", "status", "expiration date", "date", "aaaa", "unknown", "title", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 12, "domain": 3, "email": 2, "hostname": 11 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7507caef756def34d1910", "name": "Regtons - I have so many questions.", "description": "", "modified": "2026-04-15T00:16:48.010000", "created": "2026-03-16T00:36:12.041000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "domain": 33, "hostname": 370, "email": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "URL": 11 }, "indicator_count": 425, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b746cbc0ff51b6334a1d35", "name": "Certs Following", "description": "", "modified": "2026-04-14T23:30:08.983000", "created": "2026-03-15T23:54:51.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 84, "FileHash-SHA256": 1, "URL": 9, "email": 6 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7507c8fe08ad6006d4202", "name": "Regtons - I have so many questions.", "description": "", "modified": "2026-03-16T14:05:48.014000", "created": "2026-03-16T00:36:12.777000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 3, "hostname": 69 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657081811cbd9a5dca05bd3d", "name": "assorted xyz sites for researching.", "description": "", "modified": "2023-12-06T14:13:21.425000", "created": "2023-12-06T14:13:21.425000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1061, "URL": 1128, "FileHash-SHA256": 24, "domain": 1983, "email": 2 }, "indicator_count": 4198, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622ccdabfe5537a5a8cc71e1", "name": "assorted xyz sites for researching.", "description": "", "modified": "2022-05-13T14:11:33.609000", "created": "2022-03-12T16:43:23.872000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mokomoko1", "id": "45776", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_45776/resized/80/avatar_c26be60cfd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1128, "hostname": 1061, "FileHash-SHA256": 24, "domain": 1983, "email": 2 }, "indicator_count": 4198, "is_author": false, "is_subscribing": null, "subscriber_count": 351, "modified_text": "1482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "Pending Review.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Research Suggests:", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes.", "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Do Not Run" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b79f2b00d481ced26e41b4", "name": "Hexadecimal Output 41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29", "description": "A chronology of key events:-1.5m-2.4m.1m (1,935,000 sq ft) - the full text of the following:. <- ((((((This pretext carries weight in my mind. It may not actually. So I decided from now on im breaking every one into Hexadecimal Output:\n41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29 and adding them. This was the output I found written above. You can do this easily with an internet scan.", "modified": "2026-04-15T06:19:53.075000", "created": "2026-03-16T06:11:55.097000", "tags": [ "name servers", "as13335", "united", "moved", "creation date", "servers", "status", "expiration date", "date", "aaaa", "unknown", "title", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "URL": 11, "domain": 3, "email": 2, "hostname": 11, "FileHash-SHA256": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b79f2c22735c199c0cb830", "name": "Hexadecimal Output 41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29", "description": "A chronology of key events:-1.5m-2.4m.1m (1,935,000 sq ft) - the full text of the following:. <- ((((((This pretext carries weight in my mind. It may not actually. So I decided from now on im breaking every one into Hexadecimal Output:\n41 20 63 68 72 6f 6e 6f 6c 6f 67 79 20 6f 66 20 6b 65 79 20 65 76 65 6e 74 73 3a 2d 31 2e 35 6d 2d 32 2e 34 6d 2e 31 6d 20 28 31 2c 39 33 35 2c 30 30 30 20 73 71 20 66 74 29 and adding them. This was the output I found written above. You can do this easily with an internet scan.", "modified": "2026-04-15T06:19:53.075000", "created": "2026-03-16T06:11:56.025000", "tags": [ "name servers", "as13335", "united", "moved", "creation date", "servers", "status", "expiration date", "date", "aaaa", "unknown", "title", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 12, "domain": 3, "email": 2, "hostname": 11 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7507caef756def34d1910", "name": "Regtons - I have so many questions.", "description": "", "modified": "2026-04-15T00:16:48.010000", "created": "2026-03-16T00:36:12.041000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "domain": 33, "hostname": 370, "email": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "URL": 11 }, "indicator_count": 425, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b746cbc0ff51b6334a1d35", "name": "Certs Following", "description": "", "modified": "2026-04-14T23:30:08.983000", "created": "2026-03-15T23:54:51.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 84, "FileHash-SHA256": 1, "URL": 9, "email": 6 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7507c8fe08ad6006d4202", "name": "Regtons - I have so many questions.", "description": "", "modified": "2026-03-16T14:05:48.014000", "created": "2026-03-16T00:36:12.777000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 3, "hostname": 69 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657081811cbd9a5dca05bd3d", "name": "assorted xyz sites for researching.", "description": "", "modified": "2023-12-06T14:13:21.425000", "created": "2023-12-06T14:13:21.425000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1061, "URL": 1128, "FileHash-SHA256": 24, "domain": 1983, "email": 2 }, "indicator_count": 4198, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622ccdabfe5537a5a8cc71e1", "name": "assorted xyz sites for researching.", "description": "", "modified": "2022-05-13T14:11:33.609000", "created": "2022-03-12T16:43:23.872000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mokomoko1", "id": "45776", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_45776/resized/80/avatar_c26be60cfd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1128, "hostname": 1061, "FileHash-SHA256": 24, "domain": 1983, "email": 2 }, "indicator_count": 4198, "is_author": false, "is_subscribing": null, "subscriber_count": 351, "modified_text": "1482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "regtons.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "regtons.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780518594.191751 }