{ "type": "Domain", "indicator": "rmueller.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rmueller.com", "alexa": "http://www.alexa.com/siteinfo/rmueller.com", "indicator": "rmueller.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4125994151, "indicator": "rmueller.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6946fdbb4a22dc28d60d6ca2", "name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2", "description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.", "modified": "2026-01-19T19:04:41.997000", "created": "2025-12-20T19:49:15.713000", "tags": [ "doomscroller", "browsehappy", "xpirat", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "united", "tlsv1", "execution", "dock", "write", "persistence", "encrypt", "meta", "browse happy", "worry", "body doctype", "online", "gmt server", "a domains", "ipv4 add", "win32", "trojandropper", "title", "date", "unknown", "post http", "cryptexportkey", "cryptgenkey", "calgrc4", "expiro", "temple", "xserver", "adversaries", "worry wordpress" ], "references": [ "Xpirat = doomscroller.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpirat", "display_name": "Xpirat", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5576, "domain": 1502, "FileHash-MD5": 116, "FileHash-SHA1": 73, "FileHash-SHA256": 1041, "SSLCertFingerprint": 1, "hostname": 1951 }, "indicator_count": 10260, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691e462d095c8c8f397c358a", "name": "Searchjstg - Music Industry Relationship to malicious attacks", "description": "Britney Spears link found in a threat report re: attack on a monitored target. \nReport dated 5/2024. I did research the link and included results related to : https://www.neurotoxininstitute.com/ , Foundry , Apple Music , Operation Endgame , Sony etc. I need to research further pinpoint Lazarus connection. Related malicious files were found that need to be isolated. \n\nTarget has been affected by Lazarus group for a number of years. Target, an independent a songwriter & publisher catalogs were mostly deleted, sold, chopped. Videos, views . Spotify and all other media outlets targets music samples were showcased have been ravaged including views in the millions gone. At some point all of her traffic was routed to .GA (Africa) audiences only. Most of targets customer service for all things as also routed to South Africa. \n\nThere is also a Pegasus relationship.", "modified": "2025-12-19T21:00:48.726000", "created": "2025-11-19T22:35:25.095000", "tags": [ "related pulses", "active related", "families", "virtool att", "ck ids", "t1140", "t1204", "user execution", "t1060", "run keys", "startup", "hr description", "active", "sony", "added active", "win32spigot", "spigot", "searchjstg", "sucuri", "url http", "url https", "cve cve20178977", "cve cve20140322", "type indicator", "britney spears", "official", "skip", "tiktok youtube", "spotify apple", "join", "newsletter", "subscribe", "britney", "rights reserved", "service", "matthew pynhas", "grs limited", "domain admin", "digital privacy", "wolfgang reile", "clyde murphy", "dmitry urin", "artem zahvatkin", "aleksey silakov", "mmi online", "cloud", "email add", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "united", "command decode", "suricata ipv4", "pcap frame", "suricata udpv4", "belgium belgium", "localappdata", "domain address", "contacted hosts", "strings", "show process", "programfiles", "mitre att", "show technique", "ck matrix", "href", "username", "userprofile", "sha1", "comspec", "model", "iframe", "general", "path", "ipv4", "dynamicloader", "msie", "windows nt", "unknown", "write c", "tls handshake", "failure", "tlsv1", "forbidden", "encrypt", "xserver", "copy", "write", "trojan", "malware", "julia", "carr", "next", "temple", "show", "entries", "medium", "search", "et trojan", "possible", "host sinkhole", "cookie value", "delete", "ids detections", "bifrose", "win32", "high", "crlf line", "document file", "v2 document", "yara rule", "sniffs", "guard" ], "references": [ "https://britneyspears.com/", "https://www.neurotoxininstitute.com/", "https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/ \u2022 http://devicefoundry.net/", "devicefoundry.net\t \u2022 feastfoundry.com \u2022 www.feastfoundry.com", "https://hello.engine.com/api/mailings \u2022 hello.engine.com", "Interesting Strings: https://music.apple.com/us/album/lazarus/1676286487?i=1676286742 | Hash Below", "FileHash - SHA255 7fca73cfc0844b72faab7bfcdac031505a5ee337987130f5ac2a40e1ff28cf81" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Poland", "United Kingdom of Great Britain and Northern Ireland", "T\u00fcrkiye", "Malaysia", "Canada", "Finland", "Germany", "Russian Federation", "Ireland", "France", "Jordan", "Australia" ], "malware_families": [ { "id": "Win32/Spigot", "display_name": "Win32/Spigot", "target": null }, { "id": "VirTool:Win32/VBInject.gen!CF", "display_name": "VirTool:Win32/VBInject.gen!CF", "target": "/malware/VirTool:Win32/VBInject.gen!CF" }, { "id": "Searchjstg", "display_name": "Searchjstg", "target": null }, { "id": "Backdoor:Win32/Bifrose", "display_name": "Backdoor:Win32/Bifrose", "target": "/malware/Backdoor:Win32/Bifrose" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 424, "domain": 374, "hostname": 167, "FileHash-SHA256": 175, "email": 2, "FileHash-MD5": 222, "FileHash-SHA1": 145, "CVE": 7, "SSLCertFingerprint": 36 }, "indicator_count": 1552, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hello.engine.com/api/mailings \u2022 hello.engine.com", "Interesting Strings: https://music.apple.com/us/album/lazarus/1676286487?i=1676286742 | Hash Below", "https://britneyspears.com/", "Xpirat = doomscroller.io", "devicefoundry.net\t \u2022 feastfoundry.com \u2022 www.feastfoundry.com", "https://www.neurotoxininstitute.com/", "FileHash - SHA255 7fca73cfc0844b72faab7bfcdac031505a5ee337987130f5ac2a40e1ff28cf81", "https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/ \u2022 http://devicefoundry.net/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Virtool:win32/vbinject.gen!cf", "Searchjstg", "Win32/spigot", "Xpirat", "Expiro", "Backdoor:win32/bifrose" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6946fdbb4a22dc28d60d6ca2", "name": "Expiro - DoomScroller \u2022 BrowseHappy | Part 2", "description": "Pulse: \u00c2\u00a31.1bn.io.com, a search engine for the most popular websites on the planet, is now available on Facebook, Twitter, Instagram and YouTube.", "modified": "2026-01-19T19:04:41.997000", "created": "2025-12-20T19:49:15.713000", "tags": [ "doomscroller", "browsehappy", "xpirat", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "united", "tlsv1", "execution", "dock", "write", "persistence", "encrypt", "meta", "browse happy", "worry", "body doctype", "online", "gmt server", "a domains", "ipv4 add", "win32", "trojandropper", "title", "date", "unknown", "post http", "cryptexportkey", "cryptgenkey", "calgrc4", "expiro", "temple", "xserver", "adversaries", "worry wordpress" ], "references": [ "Xpirat = doomscroller.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xpirat", "display_name": "Xpirat", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1423", "name": "Network Service Scanning", "display_name": "T1423 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5576, "domain": 1502, "FileHash-MD5": 116, "FileHash-SHA1": 73, "FileHash-SHA256": 1041, "SSLCertFingerprint": 1, "hostname": 1951 }, "indicator_count": 10260, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691e462d095c8c8f397c358a", "name": "Searchjstg - Music Industry Relationship to malicious attacks", "description": "Britney Spears link found in a threat report re: attack on a monitored target. \nReport dated 5/2024. I did research the link and included results related to : https://www.neurotoxininstitute.com/ , Foundry , Apple Music , Operation Endgame , Sony etc. I need to research further pinpoint Lazarus connection. Related malicious files were found that need to be isolated. \n\nTarget has been affected by Lazarus group for a number of years. Target, an independent a songwriter & publisher catalogs were mostly deleted, sold, chopped. Videos, views . Spotify and all other media outlets targets music samples were showcased have been ravaged including views in the millions gone. At some point all of her traffic was routed to .GA (Africa) audiences only. Most of targets customer service for all things as also routed to South Africa. \n\nThere is also a Pegasus relationship.", "modified": "2025-12-19T21:00:48.726000", "created": "2025-11-19T22:35:25.095000", "tags": [ "related pulses", "active related", "families", "virtool att", "ck ids", "t1140", "t1204", "user execution", "t1060", "run keys", "startup", "hr description", "active", "sony", "added active", "win32spigot", "spigot", "searchjstg", "sucuri", "url http", "url https", "cve cve20178977", "cve cve20140322", "type indicator", "britney spears", "official", "skip", "tiktok youtube", "spotify apple", "join", "newsletter", "subscribe", "britney", "rights reserved", "service", "matthew pynhas", "grs limited", "domain admin", "digital privacy", "wolfgang reile", "clyde murphy", "dmitry urin", "artem zahvatkin", "aleksey silakov", "mmi online", "cloud", "email add", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "t1590 gather", "victim network", "united", "command decode", "suricata ipv4", "pcap frame", "suricata udpv4", "belgium belgium", "localappdata", "domain address", "contacted hosts", "strings", "show process", "programfiles", "mitre att", "show technique", "ck matrix", "href", "username", "userprofile", "sha1", "comspec", "model", "iframe", "general", "path", "ipv4", "dynamicloader", "msie", "windows nt", "unknown", "write c", "tls handshake", "failure", "tlsv1", "forbidden", "encrypt", "xserver", "copy", "write", "trojan", "malware", "julia", "carr", "next", "temple", "show", "entries", "medium", "search", "et trojan", "possible", "host sinkhole", "cookie value", "delete", "ids detections", "bifrose", "win32", "high", "crlf line", "document file", "v2 document", "yara rule", "sniffs", "guard" ], "references": [ "https://britneyspears.com/", "https://www.neurotoxininstitute.com/", "https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/ \u2022 http://devicefoundry.net/", "devicefoundry.net\t \u2022 feastfoundry.com \u2022 www.feastfoundry.com", "https://hello.engine.com/api/mailings \u2022 hello.engine.com", "Interesting Strings: https://music.apple.com/us/album/lazarus/1676286487?i=1676286742 | Hash Below", "FileHash - SHA255 7fca73cfc0844b72faab7bfcdac031505a5ee337987130f5ac2a40e1ff28cf81" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Netherlands", "Poland", "United Kingdom of Great Britain and Northern Ireland", "T\u00fcrkiye", "Malaysia", "Canada", "Finland", "Germany", "Russian Federation", "Ireland", "France", "Jordan", "Australia" ], "malware_families": [ { "id": "Win32/Spigot", "display_name": "Win32/Spigot", "target": null }, { "id": "VirTool:Win32/VBInject.gen!CF", "display_name": "VirTool:Win32/VBInject.gen!CF", "target": "/malware/VirTool:Win32/VBInject.gen!CF" }, { "id": "Searchjstg", "display_name": "Searchjstg", "target": null }, { "id": "Backdoor:Win32/Bifrose", "display_name": "Backdoor:Win32/Bifrose", "target": "/malware/Backdoor:Win32/Bifrose" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 424, "domain": 374, "hostname": 167, "FileHash-SHA256": 175, "email": 2, "FileHash-MD5": 222, "FileHash-SHA1": 145, "CVE": 7, "SSLCertFingerprint": 36 }, "indicator_count": 1552, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rmueller.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rmueller.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776714651.2483902 }