{ "type": "Domain", "indicator": "searchguideinc.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/searchguideinc.com", "alexa": "http://www.alexa.com/siteinfo/searchguideinc.com", "indicator": "searchguideinc.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2642527931, "indicator": "searchguideinc.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1b46238df27ff6680430a", "name": "Analysis- 12/12/24 Darkgate- 9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02.zip (MD5: 71E189A0B08891CFFAB6E656FC49E00A) Malicious activity - Interactive analysis ANY.RUN", "description": "<> Darkgate. Links wouldnt attach. User does not have whatsapp.", "modified": "2026-04-17T07:11:13.591000", "created": "2026-04-17T04:17:38.518000", "tags": [ "delete", "yara detections", "high", "medium", "whatsapp plugin", "whatsapp", "read", "write", "top source", "top destination", "virustotal", "guard", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 57, "FileHash-MD5": 54, "FileHash-SHA1": 50, "FileHash-SHA256": 431, "URL": 328, "hostname": 385, "domain": 409, "email": 51, "CIDR": 40 }, "indicator_count": 1805, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acfaa081607e1104c5b126", "name": "Ghost the real Cab riding G-HOST", "description": "Violating the basic human centric civil rights of cryptography.", "modified": "2026-04-07T04:11:52.201000", "created": "2026-03-08T04:27:12.578000", "tags": [ "name servers", "status", "as16625 akamai", "passive dns", "body", "urls", "akamai", "creation date", "date", "expiration date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 102, "URL": 11, "email": 2, "hostname": 20, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 746 }, "indicator_count": 1073, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acfa9f581a36982e769080", "name": "Ghost the real Cab riding G-HOST", "description": "Violating the basic human centric civil rights of cryptography.", "modified": "2026-04-07T04:11:52.201000", "created": "2026-03-08T04:27:11.283000", "tags": [ "name servers", "status", "as16625 akamai", "passive dns", "body", "urls", "akamai", "creation date", "date", "expiration date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 103, "URL": 12, "email": 2, "hostname": 21, "FileHash-MD5": 38, "FileHash-SHA1": 38, "FileHash-SHA256": 521 }, "indicator_count": 735, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "121 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "540 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 239, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e47020bdbbc384d102d169", "name": "AWS Botnet *2nd L\u2070\u2070K \u00bb Quantum Fiber | Brute Forcer", "description": "I researched link again. Stealthy hackers surrounding a targets whereabouts in Denver Metro/Denver Proper (Co) and surrounding areas. Unsafe targeting activity escalates.\n\n*Tip { PDF:UrlMal-inf\\ [Trj] - https://www.quantumfiber.com/moving.html?utm_source=Digital&utm_medium=DV360_YouTube&utm_campaign=QuantumFiber_Residential_Prospecting&utm_content=Movers-RES-QF-Movers-ACH-OLV30-50-YouTube-NA&gclid=CjwKCAjwooq3BhB3Eiw } Malware Families:\nWin.Dropper.LokiBot-9975730-0\n#LowFiEnableDTContinueAfterUnpacking\n#LowFiMalf_gen\nALF:PUA:Block:IObit\nALF:Program:Win32/Webcompanion\nALF:Ransom:Win32/Babax\nALF:Trojan:Win32/FormBook\nAWS\nPDF:UrlMal-inf\\ [Trj]\nTrojan:Win32/Qbot\nTrojanDownloader:Win32/Upatre\nUnix\nUnix.Malware.Generic-9875933-0\nVirTool:Win32/Injector\nVirTool:Win32/Obfuscator\nWin.Dropper.LokiBot-9975730-0\nWin.Keylogger.Banbra-9936388-0\nWorm:Win32/Mofksys", "modified": "2024-10-13T13:01:27.179000", "created": "2024-09-13T17:02:24.806000", "tags": [ "namecheap", "server", "registrar abuse", "code", "dnssec", "email", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "vhash", "authentihash", "imphash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "trid upx", "win16 ne", "generic", "packer", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "upx0", "1 upx1", "upx2", "sysinternals", "zenbox", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "dynamic", "utc na", "utc facebook", "html info", "meta tags", "commerce cloud", "trackers google", "tag manager", "gtmkj5bfwx", "utc gtmp4hkt96", "utc gtm5z5w687v", "sample", "t1497", "sandbox evasion", "may sleep", "downloads", "http performs", "mitre att", "evasion ta0005", "upx software", "t1036 creates", "get http", "post http", "number", "ja3s", "algorithm", "subject", "data", "server ca", "odigicert inc", "cus lsan", "calls", "text", "passive dns", "urls", "scan endpoints", "all scoreblue", "url https", "http", "ip address", "related nids", "files location", "as8068", "united", "unknown", "ref b", "wed may", "entries", "mtb dec", "body", "please", "twitter", "malware", "trojan", "trojan features", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "worm", "win32", "alf features", "aaaa", "cname", "united kingdom", "creation date", "certificate", "tlsv1", "oglobalsign", "stzhejiang", "lhangzhou", "oalibaba", "china", "encrypt", "copy", "write", "august", "local", "xport", "regsetvalueexa", "regdword", "regbinary", "medium", "high", "regsetvalueexw", "regsz", "langchinese", "delphi", "persistence", "execution", "read c", "create c", "msie", "windows nt", "wow64", "slcc2", "media center", "write c", "delete c", "mozilla", "as62597 nsone", "domain", "as20940", "as8075", "virtool", "whitelisted ip", "location united", "asn as8068", "registrar", "markmonitor", "tags", "related tags", "threat roundup", "october", "historical ssl", "referrer", "round", "december", "november", "guloader", "files", "detections file", "name file", "file size", "name", "html", "cab null", "ubuntu", "linux x8664", "contentlength", "gobrut", "malware c", "c request", "config", "meta", "photolan", "moved", "a domains", "as47748 daticum", "meta http", "content", "gmt server", "ipv4", "pragma", "apache", "sales", "expiration date", "name servers", "asnone bulgaria", "ns nxdomain", "nxdomain", "soa nxdomain", "cape", "gobrut malware", "suricata", "et malware", "bruter cnc", "checkin", "activity", "malware config", "yara detections", "contacted", "a li", "li ul", "div div", "set cookie", "as29873", "link", "hong kong", "as45102 alibaba", "div li", "gmt max", "age2592000 path", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "false", "as2914 ntt", "record value", "data redacted", "as4230 claro", "invalid url", "research group", "as13768 aptum", "canada unknown", "canada", "hostpapa", "hosting", "click", "rdds service", "record", "registrant", "admin", "tech contact", "script domains", "as3257 gtt", "asnone canada", "access denied", "servers", "emails", "as397241", "as31898 oracle", "as397240", "overview ip", "flag united", "hostname", "files domain", "as15169 google", "as396982 google", "as16625 akamai", "as35994 akamai", "france", "discovery", "t1010", "t1012", "t1027", "information", "t1055", "injection", "t1057", "t1059", "ssh attacker", "mitm", "aitm", "tracker", "botnet", "binary", "ghostscript", "brendan coates", "daley", "trent wiltshire", "aws botnet", "filehashsha256", "filehashsha1", "filehashmd5", "https", "salitiy", "unix malware", "created", "url http", "unix", "aws", "role title", "added active", "report spam", "quantumfiber", "denver co", "critical", "default", "traditional", "compiler", "intel", "ms windows", "ssdeep", "rich pe", "imphash", "utc gtm5z5w687v", "utc gtmp4hkt96", "pecompact", "packer", "ids", "commerce cloud", "meta tags", "gmt etag", "accept encoding", "accept", "status", "west domains", "path", "author avatar", "active file", "denver", "vt graph", "currently", "im unaware", "pnpd5d", "susp", "filehash", "av detections", "pecompact", "february", "asnone germany", "as21499 host", "singapore", "germany", "object", "alerts", "icmp traffic", "createdate", "microsoft color", "msft", "format", "as44273 host", "content type", "kodak easyshare", "easyshare", "eastman kodak", "kodak", "kukacka", "virus", "rsdsr7siwwd d", "install", "service", "explorer", "windows", "name type", "md5 process", "sqlite", "sqlite version", "active", "pre crime", "cyber attack", "hackers", "quantum fiber", "quantumfiber.com", "target tsara brashears", "tech id", "hallrender", "brian sabey", "hijack", "spotify artists", "idlinea8 sep", "xo544", "xa10629", "sitegg", "fcolorffffff", "net1", "inhibit system", "oracle", "level 3" ], "references": [ "QuantumFiber.com a 2nd look", "Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]", "13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion", "IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.", "IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.", "Win.Dropper.LokiBot-9975730-0", "Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9", "IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread", "Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a", "Yara Detections: Delphi", "IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity", "IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "Query to a *.top domain - Likely Hostile Query for .cc TLD", "Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad", "Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction", "Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config", "Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat", "Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Unix.Malware.Generic:", "Unix.Malware.Generic:", "networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt", "wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com", "Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys", "Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0", "Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0", "Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Keylogger.Banbra-9936388-0", "display_name": "Win.Keylogger.Banbra-9936388-0", "target": null }, { "id": "#LowFiMalf_gen", "display_name": "#LowFiMalf_gen", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "ALF:Ransom:Win32/Babax", "display_name": "ALF:Ransom:Win32/Babax", "target": null }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "ALF:PUA:Block:IObit", "display_name": "ALF:PUA:Block:IObit", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Unix.Malware.Generic-9875933-0", "display_name": "Unix.Malware.Generic-9875933-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Unix", "display_name": "Unix", "target": null }, { "id": "AWS", "display_name": "AWS", "target": null }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "PDF:UrlMal-inf\\ [Trj]", "display_name": "PDF:UrlMal-inf\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1510", "name": "Clipboard Modification", "display_name": "T1510 - Clipboard Modification" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1644, "FileHash-SHA1": 1614, "FileHash-SHA256": 2742, "URL": 2708, "domain": 2150, "hostname": 2508, "email": 21, "SSLCertFingerprint": 33, "CVE": 2 }, "indicator_count": 13422, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c5e0783f84565b1fe842e1", "name": "Twitter\u00bbX.com migration to malware templates Attorney Brian Sabey Hall Render ", "description": "", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-21T12:41:28.437000", "tags": [ "ip address", "b cms", "express", "security risk", "found https", "server tsa", "b server", "digicert inc", "web application", "expiresthu", "path", "secure", "self", "body", "sha256 hash", "http response", "gmt perf", "accept expiry", "gmt pragma", "referrer", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "united", "flag", "contacted", "http traffic", "as20940", "name servers", "status", "search", "invalid url", "passive dns", "urls", "next", "as13414 twitter", "as15133 verizon", "nxdomain", "whitelisted", "a nxdomain", "aaaa", "trojan", "virtool", "twitter", "date hash", "avast avg", "related pulses", "file samples", "files matching", "show", "copyright", "levelblue", "showing", "scan endpoints", "all scoreblue", "server tsa b", "trojan features", "brian sabey", "cname", "as35994 akamai", "as4230 claro", "brazil", "date", "unknown", "ireland unknown", "registrar", "ionos se", "brain sabey" ], "references": [ "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "https://twitter.com/404javascript.js", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://unify.apideck.com/vault/callback", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "Block ID:\tEVA120 ?" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Ireland" ], "malware_families": [ { "id": "ALF:E5.SpikeAex.DYNHASH", "display_name": "ALF:E5.SpikeAex.DYNHASH", "target": null }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": "66b910d6b8a1a2fade2e72f1", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 615, "domain": 368, "FileHash-SHA256": 1751, "hostname": 443, "FileHash-MD5": 419, "FileHash-SHA1": 419, "email": 7 }, "indicator_count": 4022, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b910d6b8a1a2fade2e72f1", "name": "Twitter.com = X.com Migration to malware templates Brian Sabey photos| | Framing target| HoneyPots?", "description": "Again, multiple malicious X.com Twitter migration templates with photos of Brian Sabey and wife appear separately Sabey appear in Tsara Brashears search results with 'LDS Mafia' and Dia Sabey's 'Anti Trump' sentiment. Believed to be 'remotely' self hosted on a server purported to belong to Brashears. This has been done for a while to implicate target hosting and spreading well over 1 million illegal adult, murder,threat and darker sites,murls,domains. It's untrue and is considered framing since 2017, who reported it. \nRedirects to:\n\nhttps://twitter.com?mx=1\nTsara Brashears fake server is Brian Sabey, Red Team, potentially Law Enforcement, idk. \nIP address: 104.244.42.129\n\nHosting: Unknown\n\nRunning on: Tsa B (Tsara Brashears)\nCMS: Express\nPowered by: Express\n\n#VirTool:Win32/Obfuscator.ADB\nALF:E5.SpikeAex.DYNHASH\nTrojan:Win32/Upatre\nTrojan:Win32/Vflooder", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-11T19:28:22.948000", "tags": [ "ip address", "b cms", "express", "security risk", "found https", "server tsa", "b server", "digicert inc", "web application", "expiresthu", "path", "secure", "self", "body", "sha256 hash", "http response", "gmt perf", "accept expiry", "gmt pragma", "referrer", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "united", "flag", "contacted", "http traffic", "as20940", "name servers", "status", "search", "invalid url", "passive dns", "urls", "next", "as13414 twitter", "as15133 verizon", "nxdomain", "whitelisted", "a nxdomain", "aaaa", "trojan", "virtool", "twitter", "date hash", "avast avg", "related pulses", "file samples", "files matching", "show", "copyright", "levelblue", "showing", "scan endpoints", "all scoreblue", "server tsa b", "trojan features", "brian sabey", "cname", "as35994 akamai", "as4230 claro", "brazil", "date", "unknown", "ireland unknown", "registrar", "ionos se", "brain sabey" ], "references": [ "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "https://twitter.com/404javascript.js", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://unify.apideck.com/vault/callback", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "Block ID:\tEVA120 ?" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Ireland" ], "malware_families": [ { "id": "ALF:E5.SpikeAex.DYNHASH", "display_name": "ALF:E5.SpikeAex.DYNHASH", "target": null }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 451, "domain": 353, "FileHash-SHA256": 1714, "hostname": 418, "FileHash-MD5": 419, "FileHash-SHA1": 419, "email": 7 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ca35f7202c88b2bf667c66", "name": "Ploprolo | Unix.Trojan.DarkNexus-7679166-0 | U.S. Department of Defense", "description": "Why not question suspect instead of threaten smear name in all types distasteful content. US DoD auto populated as did all tags. Link found in Adult website documented in court records. Investigate victim? Bryan Counts of upper management in Concentra telling victim Jeffrey Scott Reimer was a professional assaulter, believes there are other victims and he could be a killer. Counts back pedals they kept Reimer employed but from treating females, stating everything checked out. They are very sorry. Asked victim for hacked w'away recordings and told her 'Thank you for not pursuing our therapist.' 'You are no longer able to receive care here. I'm a public figure and I can't have this. My best friend is going to be the Sheriff. Hey yourselves a bunch of lawyers and hide. Surround yourself with people you can trust.' Mark Montano MD.\n@Kailula4 has an emptied graph of same custom Trojan. I have trouble believing it's the actual US Government. If it is, it's very sad.", "modified": "2024-09-23T18:04:30.948000", "created": "2024-08-24T19:35:19.416000", "tags": [ "asn as16625", "akamai", "link", "a domains", "as20940", "aaaa", "meta", "script", "input", "passive dns", "general", "united states", "as2914 ntt", "as721 dod", "as3257 gtt", "domain", "as2828 verizon", "as16625 akamai", "united", "as15169 google", "as44273 host", "search otx", "read c", "create c", "high", "memcommit", "delete", "write c", "module load", "dock", "write", "execution", "sample hash", "Injection", "inject", "analyzer threat", "ip summary", "detection list", "cisco umbrella", "alexa top", "million", "safe site", "cl0p ransomware", "maltiverse safe", "zbot", "malware", "ip address", "secretary", "defense", "defense lloyd", "strong", "support", "value", "joint chiefs", "minister", "ukraine", "service", "live", "honor", "department", "america", "defense og", "defense meta", "joint chief", "military", "government", "trackers", "external_resources", "third_party_cookies", "iframes", "today", "document file", "v2 document", "canada unknown", "canada", "invalid url", "scan endpoints", "all scoreblue", "ipv4", "url analysis", "creation date", "entries", "hostname", "date", "hostnames", "urls http", "mail spammer", "autorunmacro.d", "penalties", "army", "afghanistan", "journal julyaug", "stovl promises", "uas road", "cheers", "way ahead", "mor pdf", "armed forces", "copy", "format", "core", "createdate", "producer gimp", "navy", "title navy", "filehash", "av detections", "ids detections", "nxscspu", "zsextbzusbrvsk", "pxnzj", "jwxkrhdlrivprs", "qxrfnjuodik", "mncau", "csqvrkwsqka", "testpath path", "else", "xszcgdvlhymmww", "exploit", "win64", "null", "suspicious", "hotkey", "yara detections", "alerts", "analysis date", "file score", "brian sabey" ], "references": [ "http://analytics.com/track?id=54 | http://analytics.com/track?id=55", "IP\u2019s Contacted 104.123.122.11 204.79.197.200 | Domains Contacted www.defense.gov www.bing.com", "'http'://www.defense.gov/?date=2019-11-21 | http'://www.defense.gov ?", "Executed Commands: iexplore.exe \"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" http://www.defense.gov/?date=2019-11-21", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0d34445978515452930712687a2b969955852dbbeb91011b3382e0efc1e4b13a", "AutorunMacro.D", "Yara Detections is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "@Kailula4 Pulse wiped? https://otx.alienvault.com/pulse/61b8f5afd7c432928006610d", "Prolexic (Parent organization?): Akamai Technologies: prolexicprotected.com | akaetp.net | akamai-trials.com | prolexic.net", "Unknown frontdoor.com A | test.unsubscribe.tapp.dpgmedia.cloud", "Tell your dog I said 'hi'" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [ { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Malware-gen\\ [Trj]", "display_name": "Malware-gen\\ [Trj]", "target": null }, { "id": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "display_name": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4572, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 448, "FileHash-MD5": 935, "URL": 267, "domain": 176, "FileHash-SHA256": 1504, "FileHash-SHA1": 616, "email": 3, "CVE": 1 }, "indicator_count": 3950, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66933b9c8be1a5b9e24de941", "name": "Worm:Win32/Enosch - Affecting YouTube, Google and more", "description": "", "modified": "2024-08-13T02:01:24.759000", "created": "2024-07-14T02:44:44.457000", "tags": [ "june", "october", "july", "tracking", "december", "apple ios", "relacionada", "partru", "plugx", "cryptbot", "hacktool", "lockbit", "as8075", "united", "slot1", "mascore2", "bcnt1", "nct1", "arc1", "ems1", "auth1", "localeenus", "date", "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "unknown", "asnone united", "as14061", "status", "creation date", "name servers", "cname", "next", "passive dns", "as15169 google", "gmt cache", "sameorigin", "443 ma2592000", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "as63949 linode", "html", "gmt content", "moved", "encrypt", "body", "record value", "emails", "domain name", "error", "code", "algorithm", "key usage", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "identifier", "x509v3 crl", "first", "as6185 apple", "japan", "as8068", "as714 apple", "aaaa", "as32244 liquid", "nxdomain", "as44273 host", "script urls", "meta", "as31154 toyota", "belgium unknown", "belgium", "pulse submit", "url analysis", "win32 exe", "android", "servers", "files", "name", "domain", "ashley", "sylvia", "sonja", "file type", "karin", "gina", "christine", "kathrin", "sandy" ], "references": [ "http://www.google.com/images/errors/robot.png", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "nr-data.net [Apple Private Data Collection]", "47.courier-push-apple.com.akadns.net", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 146, "FileHash-SHA1": 126, "FileHash-SHA256": 1422, "URL": 377, "domain": 889, "hostname": 418, "SSLCertFingerprint": 1, "email": 10 }, "indicator_count": 3389, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668cebf4b3498d2f9b9e9596", "name": "Trojan:Win32/Predator - walmartmobile.cn", "description": "Monitoring, invalid URLs, malicious redirects, cams,cyber crime, red team contract. Collects targets, calls, photos, network, dns, disables proxy, movies services,, messages, shopping habits, contacts. Intrusive as always.", "modified": "2024-08-08T07:05:50.946000", "created": "2024-07-09T07:51:16.371000", "tags": [ "popularity", "ingestion time", "utc cisco", "umbrella", "utc statvoo", "record type", "server", "dnssec", "email", "dns replication", "android", "files", "china unknown", "as4837 china", "aaaa", "search", "moved", "net technology", "for privacy", "name servers", "redacted for", "encrypt", "body", "next", "passive dns", "urls", "scan endpoints", "all scoreblue", "url http", "http", "ip address", "related nids", "files location", "ipv4", "url analysis", "location china", "script script", "td tr", "please", "please enter", "za z0", "server ca", "meta", "a li", "a domains", "ul div", "443 ma2592000", "gmt content", "servers", "https", "self", "hostname", "window", "icloud_apple_id", "apple", "apple ios", "apple id", "apple message", "msie", "chrome", "title", "head body", "center hr", "united", "unknown", "as32934", "as13414 twitter", "as19679 dropbox", "as20940", "kos", "walmart", "calls", "checking", "latest version", "invoked methods", "highlighted", "shell commands", "written", "files deleted", "files copied", "file", "process", "post http", "request", "get http", "dns resolutions", "ip traffic", "process32nextw", "shellexecuteexw", "get na", "entries", "medium", "show", "china as4837", "yara detections", "regsetvalueexw", "dock", "write", "win32", "persistence", "execution", "copy", "cname", "asnone united", "registrar", "as2914 ntt", "hichina", "certificate", "showing", "as142403 yisu", "china asn", "suspicious", "open", "write c", "create c", "read c", "windows nt", "wow64", "slcc2", "media center", "default", "discovery", "xebrbxeax1ezxf0", "sxe0x0cx1cxf8", "invalid url", "status", "reflection", "telephony", "yuming", "domain", "expiration date", "div div", "a div", "span a", "script urls", "p span", "pragma", "trident", "form", "applei_imessage_ios", "as4134 chinanet", "as3356 level", "asnone china", "date", "tsara brashears", "rwi dtools", "pyinstaller", "password", "cybercrime", "valid from", "number", "thumbprint", "ipwnderv1", "hacktool", "phishing", "facebook", "all search", "otx scoreblue", "pulse submit", "injection", "mobile", "tmobile" ], "references": [ "walmartmobile.cn", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "traceability-qa.walmartmobile.cn", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://tshop.doido.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "Unique antivirus detections for files communicating with IP address", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Brazil", "Ireland", "Germany", "Chile", "China", "Switzerland" ], "malware_families": [ { "id": "RiskTool.AndroidOS.beto", "display_name": "RiskTool.AndroidOS.beto", "target": null }, { "id": "Trojan.TrojanBanker.Android", "display_name": "Trojan.TrojanBanker.Android", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1737, "hostname": 4754, "URL": 11496, "FileHash-MD5": 96, "FileHash-SHA1": 79, "FileHash-SHA256": 2457, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 20632, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683aae863ba601bac1a28b5", "name": "Zombie.A \u2022 Bayrob in fake malware information website.", "description": "Incredibly malicious IoC's found in a legitimate appearing website with informative information. Prominently appears at top of targets search results. \n https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png\nMultiple government domains behind website. Honeypot?", "modified": "2024-08-01T06:03:26.298000", "created": "2024-07-02T07:23:20.582000", "tags": [ "ukraine", "referrer", "deploys fake", "uue files", "fsociety", "target colombia", "judiciary", "financial", "public", "tools", "sector", "mexico", "aka xloader", "html", "html info", "title", "meta tags", "google tag", "utc gnr5gzhd545", "utc na", "utc aw944900006", "utc linkedin", "formbook", "accept", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "apache", "so funny", "click", "urls", "passive dns", "http", "unique", "scan endpoints", "all octoseek", "url http", "ip address", "related nids", "code", "united", "as54113", "unknown", "aaaa", "as15169 google", "as46691", "status", "cname", "search", "whitelisted", "body", "date", "msil", "meta", "third-party-cookies", "iframes", "external-resources", "text/html", "trackers", "end game", "name servers", "select contact", "domain holder", "nexus category", "creation date", "showing", "date hash", "avast avg", "trojan", "mtb may", "dynamicloader", "high", "medium", "yara detections", "sniffs", "attempts", "alternate data", "stream", "a foreign", "cultureneutral", "get na", "show", "delete c", "entries", "cape", "delete", "default", "copy", "nivdort", "write", "trojanspy", "bayrob", "malware", "eagle eyed", "nonads", "path max", "age86400 set", "cookie", "script urls", "type", "script script", "win32 exe", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs98", "contained", "simplified", "info compiler", "products", "sp6 build", "header intel", "name md5", "language", "not found", "rules not", "mitre", "info ids", "found sigma", "found", "files not", "found network", "getlasterror", "icons library", "os2 executable", "files", "file type", "kb file", "name", "type name", "ip detections", "country", "gandi sas", "dynadot", "enom", "namecheap", "dynadot inc", "namecheap inc", "dynadot llc", "domains", "tucows domains", "melbourne it", "historical ssl", "realteck audio", "problems", "lemon duck", "iocs", "sneaky server", "replacement", "unauthorized", "windows", "windir", "samplepath", "user", "process", "created", "shell commands", "windefend", "created bus", "tree", "registry keys", "reports upgrade", "keys set", "upgradestart", "dword", "data registry", "keys deleted", "reports", "get http", "request", "http requests", "ip traffic", "dns resolutions", "resolutions", "mitre att", "defense evasion", "ta0007 command", "control ta0011", "impact ta0034", "impact ta0040", "graph", "bundled files", "name file", "contacted ip", "users", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "tulach", "rexxfield", "milesit", "cp", "self deleting", "stuff", "copying", "packages found", "targeting major", "injects ads", "into search", "results", "overlay", "text", "win32 dll", "javascript", "db2maestro", "open ports", "ipv4", "pulse submit", "url analysis", "expiration date", "hostname", "next", "ten process", "utc facebook", "utc google", "title ten", "blog meta", "tags", "elastic blog", "bing ads", "as8068", "certificate", "otx telemetry", "ref b", "record value", "emails", "please", "win32", "x msedge", "pulse pulses", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "safe site", "mail spammer", "million", "malware site", "phishing site", "malicious site", "bank", "fuery", "unsafe", "malicious", "alexa", "zbot", "asn as16625", "akamai", "less", "is2osecurity", "domain name", "active", "as21342", "domain", "location israel", "asn as1680", "invalid url", "body html", "head title", "title head", "body h1", "reference", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "district", "columbia", "false", "as20940", "as16625 akamai", "as8987 amazon", "moved", "as1680 cellcom", "alerts", "related pulses", "guard", "dynamic", "reads", "https link", "as8075", "record type", "ttl value", "redacted for", "privacy tech", "privacy admin", "postal code", "stateprovince", "server", "email", "office open", "ms word", "document", "xml document", "xml spreadsheet", "email trash", "rich text", "pdf tripwire", "fall", "whois lookups", "contact email", "blind eagle", "brian sabey" ], "references": [ "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Alerts: cape_detected_threat cape_extracted_content", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "http://Object.prototype.hasOwnProperty.call", "Tulach! It's been a minute - 114.114.114.114", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV" ], "public": 1, "adversary": "Blind Eagle", "targeted_countries": [ "United States of America", "Colombia", "Netherlands", "Israel" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "trojan.bayrob/lazy", "display_name": "trojan.bayrob/lazy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1167, "FileHash-SHA1": 738, "FileHash-SHA256": 3074, "URL": 1019, "domain": 1639, "hostname": 973, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 8623, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669f882c5109175fe742fe58", "name": "(I Cloned Title & Pulse) WHO EVERYONE HAS BEEN LOOKING FOR [Pulse of IoC's Curated by user Streaming Ex]", "description": "", "modified": "2024-07-23T10:38:36.002000", "created": "2024-07-23T10:38:36.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709e14974bdb5d6dbda091", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2066, "URL": 1939, "hostname": 2768, "FileHash-SHA256": 276, "email": 90, "CVE": 47, "CIDR": 1, "FileHash-MD5": 16, "FileHash-SHA1": 4 }, "indicator_count": 7207, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "635 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66480cb1cc174fd804e0cef9", "name": "Elgoogle", "description": "", "modified": "2024-05-18T02:12:28.801000", "created": "2024-05-18T02:04:33.967000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709f0bbdd32cb4b343a12f", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Elgoogle", "id": "281171", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2514, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "701 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3c65e0624f9debb56aadc", "name": "Zeppelin: Active in DGA domain links aimed towards individuals.", "description": "CISA: Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS).\nactors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense \n\ncontractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.\n\n\u2022 DGA: A Domain Generation Algorithm (DGA) is a type of algorithm used by malicious actors to generate a large number of domain names.", "modified": "2024-03-20T20:05:20.620000", "created": "2024-02-19T21:21:34.582000", "tags": [ "ssl certificate", "network", "malware", "contacted", "referrer", "communicating", "ransomware", "execution", "nullmixer", "monster", "zeppelin", "passive dns", "all octoseek", "related nids", "files location", "as16625 akamai", "invalid url", "present feb", "body html", "head title", "body h1", "reference", "body", "address", "akamai", "delphi", "norad tracking", "remote attack", "dga", "trojan", "cnc", "raas" ], "references": [ "http://www.metanetworks.org/tsara-lynn-brashears-dead", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a", "https://img1.wsimg.com/parking-lander/static/js/main.6b7ddab3.js" ], "public": 1, "adversary": "Buran", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Zeppelin", "display_name": "Ransom:Win32/Zeppelin", "target": "/malware/Ransom:Win32/Zeppelin" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 140, "FileHash-SHA1": 140, "FileHash-SHA256": 717, "URL": 29, "domain": 118, "email": 3, "hostname": 113 }, "indicator_count": 1260, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a756ee3c8ce2314e235a", "name": "Home Networks", "description": "", "modified": "2023-12-06T16:54:46.263000", "created": "2023-12-06T16:54:46.263000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 290, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2298, "FileHash-SHA256": 24535, "FileHash-MD5": 7197, "URL": 1188, "hostname": 2636, "JA3": 2, "email": 96, "CVE": 44, "FileHash-SHA1": 7174 }, "indicator_count": 45170, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709f0bbdd32cb4b343a12f", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:19:23.067000", "created": "2023-12-06T16:19:23.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2514, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709eee2f74978bd15d60a9", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:53.346000", "created": "2023-12-06T16:18:53.346000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2219, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44904, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ed8415c89746a234d89", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:32.627000", "created": "2023-12-06T16:18:32.627000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 35 }, "indicator_count": 44903, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ebd65cdc059b8e373ef", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:18:05.044000", "created": "2023-12-06T16:18:05.044000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2218, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1175, "hostname": 2519, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 36 }, "indicator_count": 44910, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ea58a4b251d0f7aac7b", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:17:41.816000", "created": "2023-12-06T16:17:41.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2221, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1176, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 37 }, "indicator_count": 44909, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e8b31eda9b13196277a", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:17:15.458000", "created": "2023-12-06T16:17:15.458000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2222, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1176, "hostname": 2513, "JA3": 2, "email": 83, "FileHash-SHA1": 7164, "CVE": 38 }, "indicator_count": 44911, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e736e1768898768814f", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:16:51.265000", "created": "2023-12-06T16:16:51.265000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2221, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1179, "hostname": 2521, "JA3": 2, "email": 84, "FileHash-SHA1": 7164, "CVE": 40 }, "indicator_count": 44924, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e5d4c59f8ac3f86f615", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-12-06T16:16:29.659000", "created": "2023-12-06T16:16:29.659000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2430, "FileHash-SHA256": 24526, "FileHash-MD5": 7187, "URL": 1331, "hostname": 2748, "JA3": 2, "email": 94, "CVE": 42, "FileHash-SHA1": 7164 }, "indicator_count": 45524, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e245df26a29e78d740a", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-12-06T16:15:32.595000", "created": "2023-12-06T16:15:32.595000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2428, "FileHash-MD5": 19, "URL": 2378, "hostname": 3144, "FileHash-SHA256": 307, "email": 87, "CVE": 47, "CIDR": 1, "FileHash-SHA1": 6 }, "indicator_count": 8417, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e1db42d958b88f07ca8", "name": "WHO IS MOBI GAMES AKA NIC", "description": "", "modified": "2023-12-06T16:15:25.303000", "created": "2023-12-06T16:15:25.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2428, "FileHash-MD5": 19, "URL": 2378, "hostname": 3141, "FileHash-SHA256": 307, "email": 87, "CVE": 47, "CIDR": 1, "FileHash-SHA1": 6 }, "indicator_count": 8414, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709e14974bdb5d6dbda091", "name": "WHO EVERYONE HAS BEEN LOOKING FOR", "description": "", "modified": "2023-12-06T16:15:16.406000", "created": "2023-12-06T16:15:16.406000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2066, "URL": 1939, "hostname": 2768, "FileHash-SHA256": 276, "email": 90, "CVE": 47, "CIDR": 1, "FileHash-MD5": 16, "FileHash-SHA1": 4 }, "indicator_count": 7207, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ded7d8a5ce8dba3444a", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-12-06T16:14:37.212000", "created": "2023-12-06T16:14:37.212000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2362, "FileHash-SHA256": 24578, "FileHash-MD5": 7241, "URL": 1216, "hostname": 2688, "JA3": 2, "email": 97, "CVE": 43, "FileHash-SHA1": 7217 }, "indicator_count": 45444, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709dd6926a5676de0e2a19", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-12-06T16:14:13.668000", "created": "2023-12-06T16:14:13.668000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2427, "FileHash-SHA256": 24528, "FileHash-MD5": 7187, "URL": 1346, "hostname": 2829, "JA3": 2, "email": 99, "CVE": 43, "FileHash-SHA1": 7164 }, "indicator_count": 45625, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ca13f7a17df14af4912", "name": "WHO IS NIC", "description": "", "modified": "2023-12-06T16:09:05.625000", "created": "2023-12-06T16:09:05.625000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2485, "FileHash-MD5": 39, "URL": 2407, "hostname": 3208, "FileHash-SHA256": 328, "email": 91, "CVE": 45, "CIDR": 1, "FileHash-SHA1": 26 }, "indicator_count": 8630, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a49ed44fea53e9aeec5", "name": "home networks", "description": "", "modified": "2023-12-06T15:59:05.075000", "created": "2023-12-06T15:59:05.075000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2298, "FileHash-SHA256": 24535, "FileHash-MD5": 7197, "URL": 1188, "hostname": 2636, "JA3": 2, "email": 96, "CVE": 44, "FileHash-SHA1": 7174 }, "indicator_count": 45170, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64944a718c48be8bb9d2c315", "name": "WHO IS NIC", "description": "", "modified": "2023-11-14T06:01:29.027000", "created": "2023-06-22T13:19:45.357000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5199, "domain": 4162, "hostname": 5260, "email": 105, "FileHash-SHA256": 761, "FileHash-MD5": 40, "CVE": 97, "FileHash-SHA1": 28, "CIDR": 1 }, "indicator_count": 15653, "is_author": false, "is_subscribing": null, "subscriber_count": 96, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b78e5e7e24debcdd89b", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:56.851000", "created": "2023-10-30T02:56:56.851000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b77c1090397a32b6979", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:55.293000", "created": "2023-10-30T02:56:55.293000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b744f82ff189926035a", "name": "Home Networks", "description": "", "modified": "2023-10-30T02:56:52.243000", "created": "2023-10-30T02:56:52.243000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65136f65f7240bd2ba4b325c", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c17dc55bd8ed9bca3d4c02", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-09-27T00:01:19.593000", "created": "2023-07-26T20:10:45.140000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3392, "URL": 2619, "hostname": 3967, "FileHash-MD5": 12115, "FileHash-SHA1": 12088, "FileHash-SHA256": 57501, "CVE": 61, "IPv4": 84, "email": 106, "JA3": 2 }, "indicator_count": 91935, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "935 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65136f65f7240bd2ba4b325c", "name": "Home Networks", "description": "", "modified": "2023-09-26T23:55:17.763000", "created": "2023-09-26T23:55:17.763000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3274, "URL": 2565, "hostname": 3853, "FileHash-MD5": 12061, "FileHash-SHA1": 12035, "FileHash-SHA256": 57447, "CVE": 68, "IPv4": 84, "email": 109, "JA3": 2 }, "indicator_count": 91498, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "935 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c0e9db04ed02765f336f16", "name": "Who is Joel lesperance", "description": "", "modified": "2023-09-23T01:05:28.173000", "created": "2023-07-26T09:39:39.925000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64944a718c48be8bb9d2c315", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3852, "domain": 2401, "hostname": 3458, "email": 127, "FileHash-SHA256": 637, "FileHash-MD5": 16, "CVE": 108, "FileHash-SHA1": 6 }, "indicator_count": 10605, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ab412e96e4858e508978c7", "name": "rogers", "description": "", "modified": "2023-09-07T00:03:31.457000", "created": "2023-07-09T23:22:22.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "hostname": 1682, "URL": 520, "CVE": 94, "email": 87, "FileHash-SHA256": 3120, "FileHash-MD5": 608, "FileHash-SHA1": 605 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 87, "modified_text": "955 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ab46ec79ba3a3f9f859541", "name": "rogers", "description": "", "modified": "2023-09-07T00:03:31.457000", "created": "2023-07-09T23:46:52.829000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 707, "hostname": 1550, "domain": 940, "CVE": 94, "email": 84, "FileHash-SHA256": 25, "FileHash-MD5": 2 }, "indicator_count": 3402, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "955 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c82712d7810b852cabc855", "name": "WHO SAV.COM LLC (SOURCEADULT.COM)", "description": "", "modified": "2023-08-31T23:01:13.597000", "created": "2023-07-31T21:26:42.783000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64c17dc55bd8ed9bca3d4c02", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3442, "URL": 2763, "hostname": 4033, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57438, "CVE": 61, "IPv4": 84, "email": 105, "JA3": 2 }, "indicator_count": 92004, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c17dc34265fd1359962a8a", "name": "Who is SHAW.CA (TUSCOW DOMAINS)", "description": "", "modified": "2023-08-31T23:01:13.597000", "created": "2023-07-26T20:10:43.473000", "tags": [ "home wifi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "645a0d4c0e0c3cffd34ec23a", "export_count": 299, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3539, "URL": 3403, "hostname": 4473, "FileHash-MD5": 12051, "FileHash-SHA1": 12025, "FileHash-SHA256": 57441, "CVE": 63, "IPv4": 84, "email": 112, "JA3": 2 }, "indicator_count": 93193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "walmartmobile.cn", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "http://www.door.net/ARISBE/arisbe.htm", "AutorunMacro.D", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Yara Detections is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]", "Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0", "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion", "Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0", "Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat", "Block ID:\tEVA120 ?", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "https://unify.apideck.com/vault/callback", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "T1110.001 (Brute Force: Password Guessing)", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "What's going on here judiciary? Karen - cisa.gov? e.final", "47.courier-push-apple.com.akadns.net", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "QuantumFiber.com a 2nd look", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "'http'://www.defense.gov/?date=2019-11-21 | http'://www.defense.gov ?", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Tulach! It's been a minute - 114.114.114.114", "Andariel group \u00bb State-sponsored threat actor & Defense media", "Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "Executed Commands: iexplore.exe \"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" http://www.defense.gov/?date=2019-11-21", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Yara Detections stack_string , Armadillov1xxv2xx", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV", "http://www.metanetworks.org/tsara-lynn-brashears-dead", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://github.com/peeringdb/peeringdb-py", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction", "IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "telemetry-incoming.r53-2.services.mozilla.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Unique antivirus detections for files communicating with IP address", "Query to a *.top domain - Likely Hostile Query for .cc TLD", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl", "Win.Dropper.LokiBot-9975730-0", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0d34445978515452930712687a2b969955852dbbeb91011b3382e0efc1e4b13a", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "Alerts: cape_detected_threat cape_extracted_content", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Unknown frontdoor.com A | test.unsubscribe.tapp.dpgmedia.cloud", "Unix.Malware.Generic:", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "https://twitter.com/404javascript.js", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "Obfuscation: XOR-based String Encryption (0x20)", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Yara Detections: Delphi", "http://www.google.com/images/errors/robot.png", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "IDS Detections: Suspicious double Server Header Possible Kelihos", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "f.search schema.org t.final", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "From the lovely Cyber Folks .PL Cover", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "00-skillsetparadesarrollo.zendesk.com", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "traceability-qa.walmartmobile.cn", "Prolexic (Parent organization?): Akamai Technologies: prolexicprotected.com | akaetp.net | akamai-trials.com | prolexic.net", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Yara Detections: DotNET_Reactor", "http://analytics.com/track?id=54 | http://analytics.com/track?id=55", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "https://uszoom.com/", "IP\u2019s Contacted 104.123.122.11 204.79.197.200 | Domains Contacted www.defense.gov www.bing.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "http://tshop.doido.com", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "@Kailula4 Pulse wiped? https://otx.alienvault.com/pulse/61b8f5afd7c432928006610d", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a", "https://img1.wsimg.com/parking-lander/static/js/main.6b7ddab3.js", "IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "nr-data.net [Apple Private Data Collection]", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "http://Object.prototype.hasOwnProperty.call", "Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config", "Verification failure observed in automated verification handlers during sandbox replay.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "Tell your dog I said 'hi'", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malicious Score: 10", "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Buran", "NSO", "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "Blind Eagle" ], "malware_families": [ "Unix.malware.generic-9875933-0", "Trojan:win32/qbot", "Trojan.trojanbanker.android", "Alf:trojan:win32/formbook", "Worm:win32/enosch!atmn", "Trojan:win32/fanop", "Inject3.qgy", "Trojan:win32/zombie", "Malware:addscopytostartup", "Trojan:win32/startpage", "Worm:win32/autorun", "Alf:pua:block:iobit", "Nod32", "Virtool:win32/obfuscator", "Unix.trojan.darknexus-7679166-0", "#lowfimalf_gen", "Bayrob", "Virtool:win32/injector.gen!bq", "Win.trojan.sdum-9807706-0", "Trojan.bayrob/lazy", "Backdoor:win32/tofsee", "Alf:jasyp:trojandownloader:win32/quireap!atmn", "Trojan:win32/glupteba", "Alf:program:win32/webcompanion", "Trojan:win64/coinminer.we", "#virtool:win32/obfuscator.adb", "Alf:trojandownloader:powershell/ploprolo.db", "Unix", "Cve-2023-22518", "Cerber ransomware", "Noobyprotect", "Trojandownloader:win32/upatre", "Ninite", "Kelihos", "Sf:shellcode-au\\ [trj]", "Trojan:win32/zombie.a", "Cve-2023-4966", "Worm:win32/mofksys", "Trojan:win32/upatre", "Trojan:win32/vflooder", "Risktool.androidos.beto", "Malware-gen\\ [trj]", "Win.keylogger.banbra-9936388-0", "Formbook", "Backdoor:win32/zegost", "Pws:win32/zbot!ci", "Telper:hstr:clean:ninite", "Trojan:win32/neconyd", "Pdf:urlmal-inf\\ [trj]", "Win.trojan.generic-9935365-0", "Ransom:win32/zeppelin", "Alf:trojan:win32/cassini_6d4ebdc9", "Fakeav.for", "Trojandownloader:win32/cutwail", "Win.keylogger.susppack-9876601-0", "Virtool:win32/injector", "#lowfi:hstr:trojanspy:win32/bancos", "Malware family: stealthworker / gobrut", "Alf:heraklezeval:trojan:win32/predator!rfn", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Trojan:win32/dridex", "Alf:ransom:win32/babax", "Trojan:win32/smokeloader", "Trojanspy", "Tel:trojan:win64/goclr", "Et", "#lowfienabledtcontinueafterunpacking", "Etpro", "Alf:heraklezeval:ransom:win32/cve", "Nids", "Trojanspy:win32/nivdort.cw", "Aws", "Win32.meredrop checkin", "Alf:e5.spikeaex.dynhash", "Trojan:win32/cobaltstrike", "Win.dropper.lokibot-9975730-0", "Pdf.phishing.ttraffrobotinstall-7605656-0" ], "industries": [ "Media", "Telecommunications", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Civil society", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1b46238df27ff6680430a", "name": "Analysis- 12/12/24 Darkgate- 9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02.zip (MD5: 71E189A0B08891CFFAB6E656FC49E00A) Malicious activity - Interactive analysis ANY.RUN", "description": "<> Darkgate. Links wouldnt attach. User does not have whatsapp.", "modified": "2026-04-17T07:11:13.591000", "created": "2026-04-17T04:17:38.518000", "tags": [ "delete", "yara detections", "high", "medium", "whatsapp plugin", "whatsapp", "read", "write", "top source", "top destination", "virustotal", "guard", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 57, "FileHash-MD5": 54, "FileHash-SHA1": 50, "FileHash-SHA256": 431, "URL": 328, "hostname": 385, "domain": 409, "email": 51, "CIDR": 40 }, "indicator_count": 1805, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acfaa081607e1104c5b126", "name": "Ghost the real Cab riding G-HOST", "description": "Violating the basic human centric civil rights of cryptography.", "modified": "2026-04-07T04:11:52.201000", "created": "2026-03-08T04:27:12.578000", "tags": [ "name servers", "status", "as16625 akamai", "passive dns", "body", "urls", "akamai", "creation date", "date", "expiration date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 102, "URL": 11, "email": 2, "hostname": 20, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 746 }, "indicator_count": 1073, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acfa9f581a36982e769080", "name": "Ghost the real Cab riding G-HOST", "description": "Violating the basic human centric civil rights of cryptography.", "modified": "2026-04-07T04:11:52.201000", "created": "2026-03-08T04:27:11.283000", "tags": [ "name servers", "status", "as16625 akamai", "passive dns", "body", "urls", "akamai", "creation date", "date", "expiration date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 103, "URL": 12, "email": 2, "hostname": 21, "FileHash-MD5": 38, "FileHash-SHA1": 38, "FileHash-SHA256": 521 }, "indicator_count": 735, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "121 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "540 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 239, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "searchguideinc.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "searchguideinc.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776631391.86774 }