{
"type": "Domain",
"indicator": "server.de",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/server.de",
"alexa": "http://www.alexa.com/siteinfo/server.de",
"indicator": "server.de",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 398593851,
"indicator": "server.de",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 12,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d3699de4af81580993ca94",
"name": "Bloat-A Checkin | AutoRun | server.de \u2022 tvapp-server.de",
"description": "Downloads to targeted person\u2019s networks, Smart TV, and other devices , Win.Trojan.Emotet-9850453-0\n,\nWorm:Win32/AutoRun!atmn\nIDS Detections\nW32.Bloat-A Checkin\nSuspicious Dynamic DNS Update Request\nSuspicious User-Agent (MyApp)\nDYNAMIC_DNS Query to Abused Domain *.mooo.com\nYara Detections\nZeppelin_30\n, \nZeppelin_19\n, \nConventionEngine_Term_Desktop\n, \nConventionEngine_Term_Users\n, \nDelphi\nAlerts:\nprocmem_yara\nprocess_creation_suspicious_location\nmultiple_useragents\nnetwork_bind\nnetwork_cnc_https_socialmedia\npersistence_autorun\ncape_detected_threat\nnetwork_cnc_https_socialmedia\nantivm_generic_disk\ninfostealer_cookies\ninfostealer_keylog ,\nFile Win.Trojan.Emotet-9850453-0\n,\nWorm:Win32/AutoRun!atmn\nIDS Detections :\nW32.Bloat-A Checkin |\nSuspicious Dynamic DNS Update Request |\nSuspicious User-Agent (MyApp) |\nDYNAMIC_DNS Query to Abused Domain | *.mooo.com\nBobSoft Mini Delphi -> BoB / BobSoft",
"modified": "2025-10-24T02:02:14.846000",
"created": "2025-09-24T03:46:37.702000",
"tags": [
"united",
"present sep",
"passive dns",
"ip address",
"entries",
"present may",
"body doctype",
"html public",
"ietfdtd html",
"found title",
"germany unknown",
"next associated",
"gmt content",
"ipv4 add",
"pulse submit",
"url analysis",
"urls",
"files",
"worm",
"title",
"date",
"accept",
"read c",
"search",
"show",
"rgba",
"unicode",
"medium",
"memcommit",
"crlf line",
"yara detections",
"high",
"next",
"dock",
"write",
"execution",
"copy",
"name servers",
"arial",
"present jun",
"domain",
"trojan",
"meta",
"establishes",
"myapp",
"showing",
"yara rule",
"delphi",
"guard",
"malware",
"suspicious",
"unknown",
"ids detections",
"dns update",
"useragent",
"zeppelin30",
"zeppelin19",
"delphi alerts",
"contacted"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2471,
"domain": 248,
"hostname": 929,
"FileHash-SHA256": 419,
"FileHash-MD5": 181,
"FileHash-SHA1": 157,
"email": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 4408,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "219 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "666d1488316880c73e04054e",
"name": "Prorat.19.i | Backdoor:Win32/Tofsee.T - Amazon.com | iOS | Denver",
"description": "Targets family members device attacked while shopping on Amazon.com using an obviously device compromised, newer, fully updated iOS device. \nAmazon legal? [legal-choice.ru, youla.legal, https://www.effectv.com/legal/advertiser-terms-and-conditions]\n[applehealthcare.com apple-rehab.com: Backdoor:Win32/Tofsee.T]\nAdversarial CnC over devices and networks.\nRelentless attacks.",
"modified": "2024-07-15T03:03:34.888000",
"created": "2024-06-15T04:11:52.737000",
"tags": [
"server",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"street",
"stateprovince",
"postal code",
"view whois",
"whois record",
"date",
"contact",
"threat roundup",
"november",
"march",
"december",
"february",
"october",
"january",
"highly targeted",
"data",
"boost mobile",
"formbook",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"ord52c2 via",
"cloudfront",
"sha1",
"pattern match",
"ascii text",
"document file",
"v2 document",
"crlf line",
"size",
"unicode",
"beginstring",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"unknown",
"embeddedwb",
"windows",
"search",
"medium",
"united",
"show",
"whitelisted",
"shellexecuteexw",
"msie",
"tofsee",
"service",
"write",
"win32",
"malware",
"copy",
"a nxdomain",
"passive dns",
"domain",
"scan endpoints",
"all scoreblue",
"pulse pulses",
"urls",
"files",
"ip related",
"process32nextw",
"components",
"writeconsolew",
"copy c",
"delete c",
"query",
"useruin",
"delphi",
"capture",
"install",
"prorat",
"url http",
"http",
"related nids",
"files location",
"regsetvalueexa",
"hx88x89",
"regbinary",
"x95xd3xa4",
"x8dxb7xb7",
"hx88x9ax1e",
"mx81xd1r",
"x92xac",
"xc2x84",
"x93xaf",
"stream",
"persistence",
"execution",
"creation date",
"entries",
"as44273 host",
"record value",
"status",
"nxdomain",
"content type",
"accept",
"gmt server",
"gmt etag",
"accept encoding",
"ipv4",
"path",
"pragma",
"name servers",
"west domains",
"hostname",
"next",
"asnone germany",
"as21499 host",
"singapore",
"france",
"object",
"com cnt",
"dem fin",
"found",
"as16276",
"spain unknown",
"meta name",
"frame src",
"ok set",
"cookie",
"gmt date",
"gmt content",
"encrypt",
"levelblue",
"open threat",
"meta",
"a div",
"div div",
"france unknown",
"ok server",
"type",
"seychelles",
"whitesky",
"as29182 jsc",
"showing",
"as24940 hetzner",
"moved",
"expiration date",
"aaaa",
"russia",
"as15169 google",
"germany",
"emails",
"germany unknown",
"a domains",
"body doctype",
"html public",
"ietfdtd html",
"finland",
"asnone iran",
"iran",
"td tr",
"td td",
"tbody",
"tr tr",
"domains",
"backdoor",
"apple",
"radio hacking",
"voicestram",
"listening",
"trojan",
"twitter",
"servers",
"vbs",
"data center",
"avg clamav",
"msdefender sep",
"vitro mar",
"Win32:Vitro",
"target: tsara brashears",
"target: brashears personal devices",
"target: whitesky communication network",
"target: accounting firm devices",
"targets: intellectual property",
"redrum",
"open",
"tr tbody",
"rsa ca",
"apache",
"as7922 comcast",
"pulse submit",
"url analysis",
"epss",
"impact",
"cve cve20178977",
"exploits",
"targeted",
"cve overview",
"media"
],
"references": [
"Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com",
"cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network",
"High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall",
"Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383",
"network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features",
"Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f",
"IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports",
"Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com",
"message.htm.com | Ransomware",
"www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN",
"htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net",
"https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f",
"Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com",
"applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com",
"Some items found relates to research exploited against or researched by target: disabled_duck",
"Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26",
"Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11",
"Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae",
"Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11",
"Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268",
"3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com",
"3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147",
"3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot",
"3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs",
"3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin",
"3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn",
"3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977",
"3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,",
"85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login",
"87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ",
"87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0",
"CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977",
"CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Seychelles",
"Netherlands",
"France",
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win32:BackdoorX-gen\\ [Trj]",
"display_name": "Win32:BackdoorX-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Tofsee-6840338-0",
"display_name": "Win.Trojan.Tofsee-6840338-0",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Dursg.K",
"display_name": "Trojan:Win32/Dursg.K",
"target": "/malware/Trojan:Win32/Dursg.K"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Win.Trojan.Downloader-42770",
"display_name": "Win.Trojan.Downloader-42770",
"target": null
},
{
"id": "TrojanDownloader:JS/Nemucod.QJ",
"display_name": "TrojanDownloader:JS/Nemucod.QJ",
"target": "/malware/TrojanDownloader:JS/Nemucod.QJ"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Kamso",
"display_name": "Win32:Kamso",
"target": null
},
{
"id": "Win.Trojan.Magania-13720",
"display_name": "Win.Trojan.Magania-13720",
"target": null
},
{
"id": "Win32:Sality",
"display_name": "Win32:Sality",
"target": null
},
{
"id": "Win.Trojan.Swisyn-6819",
"display_name": "Win.Trojan.Swisyn-6819",
"target": null
},
{
"id": "Win32:SaliCode",
"display_name": "Win32:SaliCode",
"target": null
},
{
"id": "Win.Trojan.Agent-1313630",
"display_name": "Win.Trojan.Agent-1313630",
"target": null
},
{
"id": "Crypt_r.BCM",
"display_name": "Crypt_r.BCM",
"target": null
},
{
"id": "ALF:AGGR:Exploit:O97M/CVE-2017-11882",
"display_name": "ALF:AGGR:Exploit:O97M/CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1003.005",
"name": "Cached Domain Credentials",
"display_name": "T1003.005 - Cached Domain Credentials"
},
{
"id": "T1212",
"name": "Exploitation for Credential Access",
"display_name": "T1212 - Exploitation for Credential Access"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [
"Retail",
"Technology",
"Telecommunications",
"Civil Society",
"Online Shopping",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1965,
"hostname": 1378,
"domain": 1922,
"FileHash-SHA256": 2639,
"FileHash-MD5": 386,
"FileHash-SHA1": 377,
"email": 11,
"CVE": 2
},
"indicator_count": 8680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "685 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64a2b19b6dd5e4ff4d6f993a",
"name": "Threat Intel Report - W24-2023",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-08-02T11:00:08.290000",
"created": "2023-07-03T11:31:39.182000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 103,
"FileHash-MD5": 10,
"FileHash-SHA1": 10,
"FileHash-SHA256": 13,
"CVE": 4,
"domain": 12,
"hostname": 53
},
"indicator_count": 205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 107,
"modified_text": "1033 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "646b27c60c837b46a8b02007",
"name": "Threat Intel Report - W21-2023",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-06-23T22:19:18.469000",
"created": "2023-05-22T08:28:54.403000",
"tags": [],
"references": [
"http://www.abuseat.org/lookup.cgis",
"https://urlhaus.abuse.ch/browse/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 90,
"CVE": 7,
"FileHash-MD5": 11,
"FileHash-SHA1": 11,
"FileHash-SHA256": 12,
"domain": 22,
"hostname": 94
},
"indicator_count": 247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 108,
"modified_text": "1072 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6396eaa02e310144bdee2239",
"name": "Threat Intel Report - W51-2022.pdf",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-01-11T08:01:06.278000",
"created": "2022-12-12T08:47:28.496000",
"tags": [],
"references": [
"https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time",
"https://www.dnsbl.info/",
"https://www.spamhaus.org/xbl/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 42,
"hostname": 92,
"FileHash-MD5": 24,
"FileHash-SHA1": 28,
"FileHash-SHA256": 36,
"CVE": 1,
"URL": 89
},
"indicator_count": 312,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 107,
"modified_text": "1236 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "638dcbd385c4c8b071d944fe",
"name": "Threat Intel Report - W50-2022.pdf",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly based recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-01-04T10:01:53.783000",
"created": "2022-12-05T10:45:39.829000",
"tags": [],
"references": [
"https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time",
"https://www.dnsbl.info/",
"https://www.spamhaus.org/xbl/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 101,
"CVE": 1,
"FileHash-MD5": 10,
"FileHash-SHA1": 10,
"FileHash-SHA256": 13,
"domain": 20,
"hostname": 33
},
"indicator_count": 188,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 108,
"modified_text": "1243 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6384777e524ec4344d25de0b",
"name": "Threat Intel Report - W49-2022.pdf",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly based recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2022-12-28T08:03:15.043000",
"created": "2022-11-28T08:55:26.933000",
"tags": [],
"references": [
"https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time",
"https://www.dnsbl.info/",
"https://www.spamhaus.org/xbl/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-MD5": 5,
"FileHash-SHA1": 7,
"FileHash-SHA256": 12,
"URL": 102,
"domain": 38,
"hostname": 45
},
"indicator_count": 210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 106,
"modified_text": "1250 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "633175e64b9159c220fb14a0",
"name": "Threat Intel Advisory Report - W40-2022",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.",
"modified": "2022-10-26T09:02:08.137000",
"created": "2022-09-26T09:50:30.871000",
"tags": [],
"references": [
"https://www.dnsbl.info/",
"https://psbl.org/",
"https://urlhaus.abuse.ch/browse/",
"https://www.silobreaker.com/category/threat-reports/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 64,
"domain": 56,
"FileHash-MD5": 13,
"FileHash-SHA1": 32,
"FileHash-SHA256": 25,
"URL": 42
},
"indicator_count": 232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 106,
"modified_text": "1313 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "624d5375489ddf48d249cf04",
"name": "TM Feed 05042022",
"description": "",
"modified": "2022-05-06T00:03:41.989000",
"created": "2022-04-06T08:46:45.542000",
"tags": [],
"references": [
"TM Feed 05042022"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 45,
"CVE": 4,
"FileHash-MD5": 3,
"FileHash-SHA1": 10,
"FileHash-SHA256": 3,
"URL": 148,
"domain": 37
},
"indicator_count": 250,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 107,
"modified_text": "1486 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "620cd2d0fd8257b6f1f3c693",
"name": "TM Feed 15022022",
"description": "TM Feed 15022022",
"modified": "2022-03-18T00:04:44.902000",
"created": "2022-02-16T10:32:48.227000",
"tags": [],
"references": [
"TM Feed 15022022"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 14,
"URL": 54,
"CVE": 8,
"FileHash-SHA1": 10,
"hostname": 15
},
"indicator_count": 101,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 107,
"modified_text": "1535 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae",
"https://psbl.org/",
"www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN",
"CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882",
"Can the DoD no questions asked target a SA victim",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login",
"https://www.dnsbl.info/",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com",
"iamrobert.com Y.A.S.",
"3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn",
"3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com",
"Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11",
"https://es.pornhat.com/models/the-sex-creator/",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://urlhaus.abuse.ch/browse/",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977",
"Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26",
"3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com",
"3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147",
"TM Feed 05042022",
"IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports",
"message.htm.com | Ransomware",
"3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,",
"cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network",
"Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com",
"87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time",
"https://www.spamhaus.org/xbl/",
"http://www.abuseat.org/lookup.cgis",
"TM Feed 15022022",
"https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f",
"Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs",
"If someone is believed to be a threat they have right to due process.",
"Target agreed and complied with all lie detector measures.",
"Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268",
"Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"I am very upset. Whoever is doing this is sick.",
"3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall",
"https://www.silobreaker.com/category/threat-reports/",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net",
"https://meumundogay-com.sexogratis.page/locker",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Some items found relates to research exploited against or researched by target: disabled_duck",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f",
"87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0",
"There is fear in silence or speaking out",
"3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Win.trojan.magania-13720",
"Win32:backdoorx-gen\\ [trj]",
"Trojandownloader:js/nemucod.qj",
"Win.trojan.agent-1313630",
"Win.trojan.swisyn-6819",
"Win32:sality",
"Win.packer.pkr_ce1a-9980177-0",
"Backdoor:win32/tofsee.t",
"Win.trojan.downloader-42770",
"Win32:salicode",
"Apnic",
"Win32:trojan-gen",
"Alf:exploit:o97m/cve-2017-8977",
"Win.trojan.tofsee-6840338-0",
"Trojan:win32/dursg.k",
"Crypt_r.bcm",
"Win32:kamso",
"Alf:aggr:exploit:o97m/cve-2017-11882",
"Malware"
],
"industries": [
"Telecommunications",
"Technology",
"Online shopping",
"Retail",
"Civil society",
"Legal"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 12,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d3699de4af81580993ca94",
"name": "Bloat-A Checkin | AutoRun | server.de \u2022 tvapp-server.de",
"description": "Downloads to targeted person\u2019s networks, Smart TV, and other devices , Win.Trojan.Emotet-9850453-0\n,\nWorm:Win32/AutoRun!atmn\nIDS Detections\nW32.Bloat-A Checkin\nSuspicious Dynamic DNS Update Request\nSuspicious User-Agent (MyApp)\nDYNAMIC_DNS Query to Abused Domain *.mooo.com\nYara Detections\nZeppelin_30\n, \nZeppelin_19\n, \nConventionEngine_Term_Desktop\n, \nConventionEngine_Term_Users\n, \nDelphi\nAlerts:\nprocmem_yara\nprocess_creation_suspicious_location\nmultiple_useragents\nnetwork_bind\nnetwork_cnc_https_socialmedia\npersistence_autorun\ncape_detected_threat\nnetwork_cnc_https_socialmedia\nantivm_generic_disk\ninfostealer_cookies\ninfostealer_keylog ,\nFile Win.Trojan.Emotet-9850453-0\n,\nWorm:Win32/AutoRun!atmn\nIDS Detections :\nW32.Bloat-A Checkin |\nSuspicious Dynamic DNS Update Request |\nSuspicious User-Agent (MyApp) |\nDYNAMIC_DNS Query to Abused Domain | *.mooo.com\nBobSoft Mini Delphi -> BoB / BobSoft",
"modified": "2025-10-24T02:02:14.846000",
"created": "2025-09-24T03:46:37.702000",
"tags": [
"united",
"present sep",
"passive dns",
"ip address",
"entries",
"present may",
"body doctype",
"html public",
"ietfdtd html",
"found title",
"germany unknown",
"next associated",
"gmt content",
"ipv4 add",
"pulse submit",
"url analysis",
"urls",
"files",
"worm",
"title",
"date",
"accept",
"read c",
"search",
"show",
"rgba",
"unicode",
"medium",
"memcommit",
"crlf line",
"yara detections",
"high",
"next",
"dock",
"write",
"execution",
"copy",
"name servers",
"arial",
"present jun",
"domain",
"trojan",
"meta",
"establishes",
"myapp",
"showing",
"yara rule",
"delphi",
"guard",
"malware",
"suspicious",
"unknown",
"ids detections",
"dns update",
"useragent",
"zeppelin30",
"zeppelin19",
"delphi alerts",
"contacted"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2471,
"domain": 248,
"hostname": 929,
"FileHash-SHA256": 419,
"FileHash-MD5": 181,
"FileHash-SHA1": 157,
"email": 1,
"SSLCertFingerprint": 2
},
"indicator_count": 4408,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "219 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "666d1488316880c73e04054e",
"name": "Prorat.19.i | Backdoor:Win32/Tofsee.T - Amazon.com | iOS | Denver",
"description": "Targets family members device attacked while shopping on Amazon.com using an obviously device compromised, newer, fully updated iOS device. \nAmazon legal? [legal-choice.ru, youla.legal, https://www.effectv.com/legal/advertiser-terms-and-conditions]\n[applehealthcare.com apple-rehab.com: Backdoor:Win32/Tofsee.T]\nAdversarial CnC over devices and networks.\nRelentless attacks.",
"modified": "2024-07-15T03:03:34.888000",
"created": "2024-06-15T04:11:52.737000",
"tags": [
"server",
"hostmaster",
"amazon legal",
"dept",
"amazon",
"street",
"stateprovince",
"postal code",
"view whois",
"whois record",
"date",
"contact",
"threat roundup",
"november",
"march",
"december",
"february",
"october",
"january",
"highly targeted",
"data",
"boost mobile",
"formbook",
"response final",
"url https",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"ord52c2 via",
"cloudfront",
"sha1",
"pattern match",
"ascii text",
"document file",
"v2 document",
"crlf line",
"size",
"unicode",
"beginstring",
"null",
"hybrid",
"refresh",
"body",
"span",
"june",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"unknown",
"embeddedwb",
"windows",
"search",
"medium",
"united",
"show",
"whitelisted",
"shellexecuteexw",
"msie",
"tofsee",
"service",
"write",
"win32",
"malware",
"copy",
"a nxdomain",
"passive dns",
"domain",
"scan endpoints",
"all scoreblue",
"pulse pulses",
"urls",
"files",
"ip related",
"process32nextw",
"components",
"writeconsolew",
"copy c",
"delete c",
"query",
"useruin",
"delphi",
"capture",
"install",
"prorat",
"url http",
"http",
"related nids",
"files location",
"regsetvalueexa",
"hx88x89",
"regbinary",
"x95xd3xa4",
"x8dxb7xb7",
"hx88x9ax1e",
"mx81xd1r",
"x92xac",
"xc2x84",
"x93xaf",
"stream",
"persistence",
"execution",
"creation date",
"entries",
"as44273 host",
"record value",
"status",
"nxdomain",
"content type",
"accept",
"gmt server",
"gmt etag",
"accept encoding",
"ipv4",
"path",
"pragma",
"name servers",
"west domains",
"hostname",
"next",
"asnone germany",
"as21499 host",
"singapore",
"france",
"object",
"com cnt",
"dem fin",
"found",
"as16276",
"spain unknown",
"meta name",
"frame src",
"ok set",
"cookie",
"gmt date",
"gmt content",
"encrypt",
"levelblue",
"open threat",
"meta",
"a div",
"div div",
"france unknown",
"ok server",
"type",
"seychelles",
"whitesky",
"as29182 jsc",
"showing",
"as24940 hetzner",
"moved",
"expiration date",
"aaaa",
"russia",
"as15169 google",
"germany",
"emails",
"germany unknown",
"a domains",
"body doctype",
"html public",
"ietfdtd html",
"finland",
"asnone iran",
"iran",
"td tr",
"td td",
"tbody",
"tr tr",
"domains",
"backdoor",
"apple",
"radio hacking",
"voicestram",
"listening",
"trojan",
"twitter",
"servers",
"vbs",
"data center",
"avg clamav",
"msdefender sep",
"vitro mar",
"Win32:Vitro",
"target: tsara brashears",
"target: brashears personal devices",
"target: whitesky communication network",
"target: accounting firm devices",
"targets: intellectual property",
"redrum",
"open",
"tr tbody",
"rsa ca",
"apache",
"as7922 comcast",
"pulse submit",
"url analysis",
"epss",
"impact",
"cve cve20178977",
"exploits",
"targeted",
"cve overview",
"media"
],
"references": [
"Targets Apple iPad /iOS | www.amazon.com/ref=ap_frn_logo [embedded] | www.amazon.com ns1.amzndns.co.uk , ns1.amzndns.com",
"cory@whiteskycommunications.com IP: 137.83.95.132 targets victims associates Amazon account and all devices. CnC target Network",
"High Priority Alerts: dead_host network_icmp nolookup_communication persistence_autorun bypass_firewall",
"Win32/Tofsee.AX - https://otx.alienvault.com/indicator/file/47565f3a809e997530e8b0d1602a39cb9cc3dd9e1361db2f9dd5891dfd444383",
"network_http suspicious_tld allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process stealth_window packer_entropy uses_windows_utilities console_output pe_features",
"Prorat.19.i: https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f",
"IDS: Prorat.19.i Checkin | DYNAMIC_DNS Query to a Suspicious no-ip Domain | CP Email Send via HTTP - Often Trojan Install Reports",
"Domains Contacted: you.no-ip.com smtp.secureserver.net www.icq.com www.yoursite.com gmali.com",
"message.htm.com | Ransomware",
"www.test_ico355_subsequent_invoices.htm.com\tA NXDOMAIN",
"htm.com: htm | prod.phx3.secureserver.net | unknown.ip.secureserver.net",
"https://otx.alienvault.com/indicator/file/03f92e83f56ad2d687ee2fb7ab21b7fea0bebc1abc82d387a52510b61506e68f",
"Win.Trojan.Tofsee-6840338-0 | https://otx.alienvault.com/indicator/domain/applehealthcare.com",
"applegatecode.com, applehealthcare.com, nord-com.it, mail.apple-rehab.com, msa-smtp-mx1.hinet.net, https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-114x114.png No Expiration\t0\t Domain itae-innova.com No Expiration\t0\t URL https://itae-innova.com/wp-content/themes/itaeinnova/images/apple-touch-icon-152x152.png, 50.205.3.1 2024-07-14T22:00:00\t0\t Domain apple-rehab.com No Expiration\t0\t Domain applegatecode.com",
"Some items found relates to research exploited against or researched by target: disabled_duck",
"Crypt_r.AWJ: FileHash-SHA256 cc83b186700b21e5c4cae0f8236ae3e50ab47c2c21a3987ea00463056cbd1c26",
"Crypt_r.BCM: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11",
"Crypt_r.BCM: FileHash-SHA256 cc83b186700b21e5c4cae",
"Crypt_r.BDI: FileHash-SHA256 1e0449b5a573e08289ba8de12b70410abfb021f81819b462cd7659fbcb361b11",
"Crypt_r.BDI: FileHash-SHA256 71906e67e75f832dfbd2c63fde953d76b6502e48e78badd3ef6fe30d02390268",
"3.33.152.147: Trojan:Win32/Dursg.K | Verdict External> IP Lookup Service Classification Cloud provider Reverse DNS a4ec4c6ea1c92e2e6.awsglobalaccelerator.com",
"3.33.152.147: https://otx.alienvault.com/indicator/ip/3.33.152.147",
"3.33.152.147 - High Priority IDS Detections: Worm.Win32/Chiviper.C Checkin Possible Fake AV Checkin Kazy/Kryptor/Cycbot",
"3.33.152.147 - High Priority IDS Detections: Trojan Checkin Win32.Meredrop Checkin CryptoWall Check-in Net-Worm.Win32.Koobface.jxs",
"3.33.152.147 - High Priority IDS Detections: Checkin Virut Counter/Check-in Backdoor.Win32.Polybot.A Checkin 3 Koobface HTTP Request (2) Win32.Sality-GR Checkin",
"3.33.152.147 - ALF:HSTR:Trojan:Win32/StartPage.ZS!bit , ALF:HeraklezEval:PUA:Win32/InstallCore.R , ALF:HeraklezEval:Ransom:Win32/Tescrypt!rfn",
"3.33.152.147 - Antivirus Detections: !#AddsCopyToStartup , !#HSTR:SigGen0136cb6c , ALF:AGGR:OpcCl:99!ml , ALF:Exploit:O97M/CVE-2017-8977",
"3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Startpage!rfn , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"3.33.152.147 - Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/SpyNoon!rfn ,",
"85.10.215.232 - Classification Datacenter / Hosting / VPS Reverse DNS dediextern.your-server.de Location: Munich, Germany | konsoleH :: Login",
"87.98.231.87 - Classification Datacenter / Hosting / VPS Reverse DNS cluster014.ovh.net Location; Spain | AVD:: TrojanDownloader:JS/Nemucod.QJ",
"87.98.231.87 - IDS Detections: MalDoc Request for Payload, Unsupported/Fake Windows NT Version 5.0",
"CVE-2017-8977 - https://otx.alienvault.com/indicator/cve/CVE-2017-8977",
"CVE-2017-11882 - https://otx.alienvault.com/indicator/cve/CVE-2017-11882"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Seychelles",
"Netherlands",
"France",
"United States of America"
],
"malware_families": [
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Win32:BackdoorX-gen\\ [Trj]",
"display_name": "Win32:BackdoorX-gen\\ [Trj]",
"target": null
},
{
"id": "Win.Trojan.Tofsee-6840338-0",
"display_name": "Win.Trojan.Tofsee-6840338-0",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Trojan:Win32/Dursg.K",
"display_name": "Trojan:Win32/Dursg.K",
"target": "/malware/Trojan:Win32/Dursg.K"
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Win.Trojan.Downloader-42770",
"display_name": "Win.Trojan.Downloader-42770",
"target": null
},
{
"id": "TrojanDownloader:JS/Nemucod.QJ",
"display_name": "TrojanDownloader:JS/Nemucod.QJ",
"target": "/malware/TrojanDownloader:JS/Nemucod.QJ"
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Kamso",
"display_name": "Win32:Kamso",
"target": null
},
{
"id": "Win.Trojan.Magania-13720",
"display_name": "Win.Trojan.Magania-13720",
"target": null
},
{
"id": "Win32:Sality",
"display_name": "Win32:Sality",
"target": null
},
{
"id": "Win.Trojan.Swisyn-6819",
"display_name": "Win.Trojan.Swisyn-6819",
"target": null
},
{
"id": "Win32:SaliCode",
"display_name": "Win32:SaliCode",
"target": null
},
{
"id": "Win.Trojan.Agent-1313630",
"display_name": "Win.Trojan.Agent-1313630",
"target": null
},
{
"id": "Crypt_r.BCM",
"display_name": "Crypt_r.BCM",
"target": null
},
{
"id": "ALF:AGGR:Exploit:O97M/CVE-2017-11882",
"display_name": "ALF:AGGR:Exploit:O97M/CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1416",
"name": "URI Hijacking",
"display_name": "T1416 - URI Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1003.005",
"name": "Cached Domain Credentials",
"display_name": "T1003.005 - Cached Domain Credentials"
},
{
"id": "T1212",
"name": "Exploitation for Credential Access",
"display_name": "T1212 - Exploitation for Credential Access"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [
"Retail",
"Technology",
"Telecommunications",
"Civil Society",
"Online Shopping",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1965,
"hostname": 1378,
"domain": 1922,
"FileHash-SHA256": 2639,
"FileHash-MD5": 386,
"FileHash-SHA1": 377,
"email": 11,
"CVE": 2
},
"indicator_count": 8680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "685 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64a2b19b6dd5e4ff4d6f993a",
"name": "Threat Intel Report - W24-2023",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-08-02T11:00:08.290000",
"created": "2023-07-03T11:31:39.182000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 103,
"FileHash-MD5": 10,
"FileHash-SHA1": 10,
"FileHash-SHA256": 13,
"CVE": 4,
"domain": 12,
"hostname": 53
},
"indicator_count": 205,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 107,
"modified_text": "1033 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "646b27c60c837b46a8b02007",
"name": "Threat Intel Report - W21-2023",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-06-23T22:19:18.469000",
"created": "2023-05-22T08:28:54.403000",
"tags": [],
"references": [
"http://www.abuseat.org/lookup.cgis",
"https://urlhaus.abuse.ch/browse/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 90,
"CVE": 7,
"FileHash-MD5": 11,
"FileHash-SHA1": 11,
"FileHash-SHA256": 12,
"domain": 22,
"hostname": 94
},
"indicator_count": 247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 108,
"modified_text": "1072 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6396eaa02e310144bdee2239",
"name": "Threat Intel Report - W51-2022.pdf",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-01-11T08:01:06.278000",
"created": "2022-12-12T08:47:28.496000",
"tags": [],
"references": [
"https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time",
"https://www.dnsbl.info/",
"https://www.spamhaus.org/xbl/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 42,
"hostname": 92,
"FileHash-MD5": 24,
"FileHash-SHA1": 28,
"FileHash-SHA256": 36,
"CVE": 1,
"URL": 89
},
"indicator_count": 312,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 107,
"modified_text": "1236 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "638dcbd385c4c8b071d944fe",
"name": "Threat Intel Report - W50-2022.pdf",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly based recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2023-01-04T10:01:53.783000",
"created": "2022-12-05T10:45:39.829000",
"tags": [],
"references": [
"https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time",
"https://www.dnsbl.info/",
"https://www.spamhaus.org/xbl/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 101,
"CVE": 1,
"FileHash-MD5": 10,
"FileHash-SHA1": 10,
"FileHash-SHA256": 13,
"domain": 20,
"hostname": 33
},
"indicator_count": 188,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 108,
"modified_text": "1243 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6384777e524ec4344d25de0b",
"name": "Threat Intel Report - W49-2022.pdf",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly based recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.",
"modified": "2022-12-28T08:03:15.043000",
"created": "2022-11-28T08:55:26.933000",
"tags": [],
"references": [
"https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time",
"https://www.dnsbl.info/",
"https://www.spamhaus.org/xbl/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-MD5": 5,
"FileHash-SHA1": 7,
"FileHash-SHA256": 12,
"URL": 102,
"domain": 38,
"hostname": 45
},
"indicator_count": 210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 106,
"modified_text": "1250 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "633175e64b9159c220fb14a0",
"name": "Threat Intel Advisory Report - W40-2022",
"description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.",
"modified": "2022-10-26T09:02:08.137000",
"created": "2022-09-26T09:50:30.871000",
"tags": [],
"references": [
"https://www.dnsbl.info/",
"https://psbl.org/",
"https://urlhaus.abuse.ch/browse/",
"https://www.silobreaker.com/category/threat-reports/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aa00643640@techmahindra.com",
"id": "156540",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 64,
"domain": 56,
"FileHash-MD5": 13,
"FileHash-SHA1": 32,
"FileHash-SHA256": 25,
"URL": 42
},
"indicator_count": 232,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 106,
"modified_text": "1313 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "server.de",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "server.de",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780248974.7698557
}