{ "type": "Domain", "indicator": "rmv6tf.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rmv6tf.org", "alexa": "http://www.alexa.com/siteinfo/rmv6tf.org", "indicator": "rmv6tf.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4333883508, "indicator": "rmv6tf.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "4 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-05-31T01:02:14", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3921, "hostname": 1668, "CVE": 14, "URL": 1984, "domain": 1432, "FileHash-MD5": 882, "FileHash-SHA1": 946, "CIDR": 10, "email": 29, "JA3": 2, "IPv4": 11 }, "indicator_count": 10899, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "4 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f18e0230179736dbc3d41f", "name": "PDFKIT- The Blob", "description": "", "modified": "2026-05-30T03:14:58.205000", "created": "2026-04-29T04:50:10.760000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2895, "FileHash-SHA1": 219, "domain": 124, "CVE": 1, "URL": 175, "email": 11, "URI": 1, "FileHash-MD5": 220, "FileHash-SHA256": 1598, "CIDR": 6, "IPv4": 1 }, "indicator_count": 5251, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f0941c2acad200bc3aae15", "name": "VirusTotal report Fraud, Forgery & Magic for System32.zip", "description": "Further research highlights how important certificates still are. An ai will NEVER detect this, ever, as they are built on 'once' trusted roots. This does not have a trusted along with the other 5 that are distrusted. This allows for old models, in this instance, edge, to be weaponized by really anyone at this point since everything fails cryptography + we are what truly seems like a short ways away from the entire internet demise based on how many of these I see. This one is extra special, not only is it built with Magic, its primary cert is a crypto domain. Client has brought forward these concerns to most agencies since Sept. 2025. Ignored. Identity stolen.\n-The digital signature of the object did not verify.\n-File distributed by Parted Magic LLC\n-(prime) Code Signing, WHQL Crypto \nrec: expiring the certificates wont work at this point, but its worth a shot. Rec: revoke Code Signing, WHQL Crypto (2012 exp still working!) The other 5 to revoke are in ref.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T11:03:56.273000", "tags": [ "catalog", "pkcs", "signature", "file type", "pe file", "pe32", "ms windows", "found", "intel", "drops pe", "ascii text", "crlf line", "creates", "defense evasion", "code", "persistence", "fraud", "malicious", "next", "valid from", "valid", "valid usage", "code signing", "whql crypto", "algorithm", "thumbprint", "serial number", "pca status", "root authority", "all algorithm", "microsoft root", "ec df", "service status", "forgery", "trusted root, failed int.&prime", "magic", "internet is imploding", "cooked", "cryptographic failures", "IP mismanagement", "Horrible Oversight, Truly horrible", "Circus with Magic", "Pdfkit.net", "doomsday" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50997cb5658dd4a8c6738e0be4b63ff937feb84207489681889c6700d6e93d79_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777373051&Signature=eMaEnBhSHcPRkNEsAbbcQS9TO5zUnrBYbvGr91OhKPFfvDsPIdJULxArlfI6%2BS%2BYthAwd%2FDmsOgpoqvoyzq6CHsPaEIcMsjuM5VQVFshm8olODXIo55xagQcZ6vcJWm%2BiNJ%2F3F1gnID7UHS%2B%2Fl6eWWzPWTh0biIyMyIpm%2BBhw%2BRLnfx%2FqRLrRKBpDtqyOogwbJgqELHtnuXA3r3xx7RRYbWcPIrFZitv%2BC6wlgSJ4vq7Jbya", "DC03161C91D83C296E8CEE9B87B9FF371FA05FA4(2015 still works w a trusted root), 3EA99A60058275E0ED83B892A909449F8C33B245 (exp2019 \"\") a timestamper, another time exp 2013 05FECB745F7F3B1A0E262A73435CCB7EAAED8B37-- and lastly the one that haunts my entire life which you cant expire because it did in 2020 and its hollow and will forever bypass trust: A43489159A520F0D93D032CCAF37E7FE20A8B419" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 371, "FileHash-SHA1": 372, "FileHash-SHA256": 2800, "domain": 162, "hostname": 1362, "URL": 108, "CIDR": 9, "email": 20 }, "indicator_count": 5204, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f094876e771316d0e3a415", "name": "VirusTotal report Fraud, Forgery & Magic for System32.zip", "description": "Further research highlights how important certificates still are. An ai will NEVER detect this, ever, as they are built on 'once' trusted roots. This does not have a trusted along with the other 5 that are distrusted. This allows for old models, in this instance, edge, to be weaponized by really anyone at this point since everything fails cryptography + we are what truly seems like a short ways away from the entire internet demise based on how many of these I see. This one is extra special, not only is it built with Magic, its primary cert is a crypto domain. Client has brought forward these concerns to most agencies since Sept. 2025. Ignored. Identity stolen.\n-The digital signature of the object did not verify.\n-File distributed by Parted Magic LLC\n-(prime) Code Signing, WHQL Crypto \nrec: expiring the certificates wont work at this point, but its worth a shot. Rec: revoke Code Signing, WHQL Crypto (2012 exp still working!) The other 5 to revoke are in ref.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T11:05:43.436000", "tags": [ "catalog", "pkcs", "signature", "file type", "pe file", "pe32", "ms windows", "found", "intel", "drops pe", "ascii text", "crlf line", "creates", "defense evasion", "code", "persistence", "fraud", "malicious", "next", "valid from", "valid", "valid usage", "code signing", "whql crypto", "algorithm", "thumbprint", "serial number", "pca status", "root authority", "all algorithm", "microsoft root", "ec df", "service status", "forgery", "trusted root, failed int.&prime", "magic", "internet is imploding", "cooked", "cryptographic failures", "IP mismanagement", "Horrible Oversight, Truly horrible", "Circus with Magic", "Pdfkit.net", "doomsday" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50997cb5658dd4a8c6738e0be4b63ff937feb84207489681889c6700d6e93d79_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777373051&Signature=eMaEnBhSHcPRkNEsAbbcQS9TO5zUnrBYbvGr91OhKPFfvDsPIdJULxArlfI6%2BS%2BYthAwd%2FDmsOgpoqvoyzq6CHsPaEIcMsjuM5VQVFshm8olODXIo55xagQcZ6vcJWm%2BiNJ%2F3F1gnID7UHS%2B%2Fl6eWWzPWTh0biIyMyIpm%2BBhw%2BRLnfx%2FqRLrRKBpDtqyOogwbJgqELHtnuXA3r3xx7RRYbWcPIrFZitv%2BC6wlgSJ4vq7Jbya", "DC03161C91D83C296E8CEE9B87B9FF371FA05FA4(2015 still works w a trusted root), 3EA99A60058275E0ED83B892A909449F8C33B245 (exp2019 \"\") a timestamper, another time exp 2013 05FECB745F7F3B1A0E262A73435CCB7EAAED8B37-- and lastly the one that haunts my entire life which you cant expire because it did in 2020 and its hollow and will forever bypass trust: A43489159A520F0D93D032CCAF37E7FE20A8B419" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 170, "FileHash-SHA256": 1421, "domain": 122, "hostname": 291, "URL": 133, "CIDR": 2, "email": 4 }, "indicator_count": 2306, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b67cc33c12d0b1d8383351", "name": "Oh Apple. Check out the Belasco Chain Report if you got it, or the 6 others I sent.", "description": "0544b83c697f1557fc559724c944a4bc3a40af9895d3b060fa2d234a1bd1856e", "modified": "2026-05-15T17:54:42.511000", "created": "2026-03-15T09:32:51.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 485, "domain": 21, "hostname": 25, "YARA": 1, "CVE": 1 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "Proton.me/Zenbox: Audit July 2025", "Amazon- Check new cert subscribers on or around Sept 15 2025", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This document might expose someone, more than another.", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "Gatsby Library Loader, DLL", "DC03161C91D83C296E8CEE9B87B9FF371FA05FA4(2015 still works w a trusted root), 3EA99A60058275E0ED83B892A909449F8C33B245 (exp2019 \"\") a timestamper, another time exp 2013 05FECB745F7F3B1A0E262A73435CCB7EAAED8B37-- and lastly the one that haunts my entire life which you cant expire because it did in 2020 and its hollow and will forever bypass trust: A43489159A520F0D93D032CCAF37E7FE20A8B419", "US, Philippines, Ukraine, Iran, China. Alberta.", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Micro - Dates to look for specific: April/May/June 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Google Docs 1.25.202.02 APK Download by Google LLC", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Entrust to Sectigo- Review vendors", "Digi/Global Sign - audit 2020 digital intersect", "France", "APKMirror https://www.apkmirror.com", "People who exploit this put the US at risk. Bottom line.", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Spellbinding! Indeed. SpellEditor.exe", "https://vtbehaviour.commondatastorage.googleapis.com/50997cb5658dd4a8c6738e0be4b63ff937feb84207489681889c6700d6e93d79_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777373051&Signature=eMaEnBhSHcPRkNEsAbbcQS9TO5zUnrBYbvGr91OhKPFfvDsPIdJULxArlfI6%2BS%2BYthAwd%2FDmsOgpoqvoyzq6CHsPaEIcMsjuM5VQVFshm8olODXIo55xagQcZ6vcJWm%2BiNJ%2F3F1gnID7UHS%2B%2Fl6eWWzPWTh0biIyMyIpm%2BBhw%2BRLnfx%2FqRLrRKBpDtqyOogwbJgqELHtnuXA3r3xx7RRYbWcPIrFZitv%2BC6wlgSJ4vq7Jbya", "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "Y2K", "Germany, Austria, and Switzerland GmbH", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Telecommunications", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "4 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-05-31T01:02:14", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3921, "hostname": 1668, "CVE": 14, "URL": 1984, "domain": 1432, "FileHash-MD5": 882, "FileHash-SHA1": 946, "CIDR": 10, "email": 29, "JA3": 2, "IPv4": 11 }, "indicator_count": 10899, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "4 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f18e0230179736dbc3d41f", "name": "PDFKIT- The Blob", "description": "", "modified": "2026-05-30T03:14:58.205000", "created": "2026-04-29T04:50:10.760000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2895, "FileHash-SHA1": 219, "domain": 124, "CVE": 1, "URL": 175, "email": 11, "URI": 1, "FileHash-MD5": 220, "FileHash-SHA256": 1598, "CIDR": 6, "IPv4": 1 }, "indicator_count": 5251, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f0941c2acad200bc3aae15", "name": "VirusTotal report Fraud, Forgery & Magic for System32.zip", "description": "Further research highlights how important certificates still are. An ai will NEVER detect this, ever, as they are built on 'once' trusted roots. This does not have a trusted along with the other 5 that are distrusted. This allows for old models, in this instance, edge, to be weaponized by really anyone at this point since everything fails cryptography + we are what truly seems like a short ways away from the entire internet demise based on how many of these I see. This one is extra special, not only is it built with Magic, its primary cert is a crypto domain. Client has brought forward these concerns to most agencies since Sept. 2025. Ignored. Identity stolen.\n-The digital signature of the object did not verify.\n-File distributed by Parted Magic LLC\n-(prime) Code Signing, WHQL Crypto \nrec: expiring the certificates wont work at this point, but its worth a shot. Rec: revoke Code Signing, WHQL Crypto (2012 exp still working!) The other 5 to revoke are in ref.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T11:03:56.273000", "tags": [ "catalog", "pkcs", "signature", "file type", "pe file", "pe32", "ms windows", "found", "intel", "drops pe", "ascii text", "crlf line", "creates", "defense evasion", "code", "persistence", "fraud", "malicious", "next", "valid from", "valid", "valid usage", "code signing", "whql crypto", "algorithm", "thumbprint", "serial number", "pca status", "root authority", "all algorithm", "microsoft root", "ec df", "service status", "forgery", "trusted root, failed int.&prime", "magic", "internet is imploding", "cooked", "cryptographic failures", "IP mismanagement", "Horrible Oversight, Truly horrible", "Circus with Magic", "Pdfkit.net", "doomsday" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50997cb5658dd4a8c6738e0be4b63ff937feb84207489681889c6700d6e93d79_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777373051&Signature=eMaEnBhSHcPRkNEsAbbcQS9TO5zUnrBYbvGr91OhKPFfvDsPIdJULxArlfI6%2BS%2BYthAwd%2FDmsOgpoqvoyzq6CHsPaEIcMsjuM5VQVFshm8olODXIo55xagQcZ6vcJWm%2BiNJ%2F3F1gnID7UHS%2B%2Fl6eWWzPWTh0biIyMyIpm%2BBhw%2BRLnfx%2FqRLrRKBpDtqyOogwbJgqELHtnuXA3r3xx7RRYbWcPIrFZitv%2BC6wlgSJ4vq7Jbya", "DC03161C91D83C296E8CEE9B87B9FF371FA05FA4(2015 still works w a trusted root), 3EA99A60058275E0ED83B892A909449F8C33B245 (exp2019 \"\") a timestamper, another time exp 2013 05FECB745F7F3B1A0E262A73435CCB7EAAED8B37-- and lastly the one that haunts my entire life which you cant expire because it did in 2020 and its hollow and will forever bypass trust: A43489159A520F0D93D032CCAF37E7FE20A8B419" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 371, "FileHash-SHA1": 372, "FileHash-SHA256": 2800, "domain": 162, "hostname": 1362, "URL": 108, "CIDR": 9, "email": 20 }, "indicator_count": 5204, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f094876e771316d0e3a415", "name": "VirusTotal report Fraud, Forgery & Magic for System32.zip", "description": "Further research highlights how important certificates still are. An ai will NEVER detect this, ever, as they are built on 'once' trusted roots. This does not have a trusted along with the other 5 that are distrusted. This allows for old models, in this instance, edge, to be weaponized by really anyone at this point since everything fails cryptography + we are what truly seems like a short ways away from the entire internet demise based on how many of these I see. This one is extra special, not only is it built with Magic, its primary cert is a crypto domain. Client has brought forward these concerns to most agencies since Sept. 2025. Ignored. Identity stolen.\n-The digital signature of the object did not verify.\n-File distributed by Parted Magic LLC\n-(prime) Code Signing, WHQL Crypto \nrec: expiring the certificates wont work at this point, but its worth a shot. Rec: revoke Code Signing, WHQL Crypto (2012 exp still working!) The other 5 to revoke are in ref.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T11:05:43.436000", "tags": [ "catalog", "pkcs", "signature", "file type", "pe file", "pe32", "ms windows", "found", "intel", "drops pe", "ascii text", "crlf line", "creates", "defense evasion", "code", "persistence", "fraud", "malicious", "next", "valid from", "valid", "valid usage", "code signing", "whql crypto", "algorithm", "thumbprint", "serial number", "pca status", "root authority", "all algorithm", "microsoft root", "ec df", "service status", "forgery", "trusted root, failed int.&prime", "magic", "internet is imploding", "cooked", "cryptographic failures", "IP mismanagement", "Horrible Oversight, Truly horrible", "Circus with Magic", "Pdfkit.net", "doomsday" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/50997cb5658dd4a8c6738e0be4b63ff937feb84207489681889c6700d6e93d79_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777373051&Signature=eMaEnBhSHcPRkNEsAbbcQS9TO5zUnrBYbvGr91OhKPFfvDsPIdJULxArlfI6%2BS%2BYthAwd%2FDmsOgpoqvoyzq6CHsPaEIcMsjuM5VQVFshm8olODXIo55xagQcZ6vcJWm%2BiNJ%2F3F1gnID7UHS%2B%2Fl6eWWzPWTh0biIyMyIpm%2BBhw%2BRLnfx%2FqRLrRKBpDtqyOogwbJgqELHtnuXA3r3xx7RRYbWcPIrFZitv%2BC6wlgSJ4vq7Jbya", "DC03161C91D83C296E8CEE9B87B9FF371FA05FA4(2015 still works w a trusted root), 3EA99A60058275E0ED83B892A909449F8C33B245 (exp2019 \"\") a timestamper, another time exp 2013 05FECB745F7F3B1A0E262A73435CCB7EAAED8B37-- and lastly the one that haunts my entire life which you cant expire because it did in 2020 and its hollow and will forever bypass trust: A43489159A520F0D93D032CCAF37E7FE20A8B419" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 170, "FileHash-SHA256": 1421, "domain": 122, "hostname": 291, "URL": 133, "CIDR": 2, "email": 4 }, "indicator_count": 2306, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b67cc33c12d0b1d8383351", "name": "Oh Apple. Check out the Belasco Chain Report if you got it, or the 6 others I sent.", "description": "0544b83c697f1557fc559724c944a4bc3a40af9895d3b060fa2d234a1bd1856e", "modified": "2026-05-15T17:54:42.511000", "created": "2026-03-15T09:32:51.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 485, "domain": 21, "hostname": 25, "YARA": 1, "CVE": 1 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rmv6tf.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rmv6tf.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780203922.7727194 }