{ "type": "Domain", "indicator": "serverless-dev.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/serverless-dev.com", "alexa": "http://www.alexa.com/siteinfo/serverless-dev.com", "indicator": "serverless-dev.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3383318772, "indicator": "serverless-dev.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 28, "pulses": [ { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e2e68815e273bfc30a2331", "name": "NSO Group \u2022 OTX Auto Pulse \u2022 bethesda[.]net ", "description": "", "modified": "2025-11-04T20:00:18.711000", "created": "2025-10-05T21:43:36.998000", "tags": [ "present aug", "present jun", "united", "present sep", "status", "present jul", "elder scrolls", "aaaa", "present oct", "creation date", "body", "date", "fallout", "evil", "title", "server", "domain status", "registrar abuse", "dnssec", "domain name", "contact email", "contact phone", "registrar iana", "host name", "handle", "rdap database", "iana registrar", "entity roles", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus oamazon", "cnamazon rsa", "m03 validity", "subject public", "key info", "record type", "ttl value", "india unknown", "present dec", "a domains", "script urls", "search", "present may", "present apr", "present mar", "present feb", "service", "meta", "encrypt", "passive dns", "entries", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "trojan", "servers", "name servers", "hostname add", "ip address", "domain", "showing", "spyware", "pegasus", "graphite", "paragon", "nso group", "security", "samsung", "google", "amazon", "malware", "nso", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "script", "ascii text", "pattern match", "null", "refresh", "starfield", "heretic", "doom", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "code", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NSO", "display_name": "NSO", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": "68e2db3a16fcfd7d323f105b", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 79, "FileHash-SHA256": 322, "email": 6, "hostname": 1577, "URL": 4971, "domain": 927 }, "indicator_count": 7951, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e2db3a16fcfd7d323f105b", "name": "[ https://] bethesda[.]net - Spyware", "description": "Bethesda net | Appears as a Gaming platform - Steam ~ | Is Offensive Security | \n\n(cloudfront.net)\n\nName :Legal Department\nName Servers :NS-1306.AWSDNS-35.ORG\n3.163.24.4\nReverse DNS\nserver-3-163-24-4.hio52.r.cloudfront.net\nLocation:\nUnited States of America\nASN :\nASNone\nPositive: bad traffic, spyware \nRelated Tags from 325+\nPulses some may no longer be relevant just related : Spyware\n, \nTrojan\n, \nPegasus\n, \nDNS\n, \nGraphite\n, \nParagon\n, \nNSO\n, \nNSO Group\n, \nSecurity\n, \nSamsung\n, \nGoogle\n, \nAmazon\n, \nHP\n, \nCloudflare\n, \nEndgame\n, \nEurope\n, \nEspionage\n, \nMalware\n | (Seen before: \nhelixcloud.ch)\nI\u2019d like a a try pulse from OTX , not possible , page kept refreshing\u2026", "modified": "2025-11-04T20:00:18.711000", "created": "2025-10-05T20:55:22.423000", "tags": [ "present aug", "present jun", "united", "present sep", "status", "present jul", "elder scrolls", "aaaa", "present oct", "creation date", "body", "date", "fallout", "evil", "title", "server", "domain status", "registrar abuse", "dnssec", "domain name", "contact email", "contact phone", "registrar iana", "host name", "handle", "rdap database", "iana registrar", "entity roles", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus oamazon", "cnamazon rsa", "m03 validity", "subject public", "key info", "record type", "ttl value", "india unknown", "present dec", "a domains", "script urls", "search", "present may", "present apr", "present mar", "present feb", "service", "meta", "encrypt", "passive dns", "entries", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "trojan", "servers", "name servers", "hostname add", "ip address", "domain", "showing", "spyware", "pegasus", "graphite", "paragon", "nso group", "security", "samsung", "google", "amazon", "malware", "nso", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "script", "ascii text", "pattern match", "null", "refresh", "starfield", "heretic", "doom", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "code", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NSO", "display_name": "NSO", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 79, "FileHash-SHA256": 322, "email": 6, "hostname": 1577, "URL": 4971, "domain": 927 }, "indicator_count": 7951, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bbf3e40e3ce8a74aa89545", "name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang", "description": "", "modified": "2025-10-06T08:03:23.285000", "created": "2025-09-06T08:42:12.787000", "tags": [ "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "search", "title", "date", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "get http", "dns resolutions", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cnamazon rsa", "m03 oamazon", "thumbprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "yara detections", "contacted", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "detections tls", "indicator role", "title added", "active related", "entries", "role title", "added active", "filehashmd5", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null }, { "id": "RokRAT", "display_name": "RokRAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Hospitality", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 539, "FileHash-SHA1": 389, "FileHash-SHA256": 3386, "domain": 862, "hostname": 1155, "URL": 4091, "CVE": 3, "SSLCertFingerprint": 5 }, "indicator_count": 10430, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4bc7487548e66d6f004", "name": "Virus:DOS/Goma", "description": "", "modified": "2023-12-06T16:43:40.375000", "created": "2023-12-06T16:43:40.375000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4b4259cafcf79907b2f", "name": "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection and Distribution", "description": "", "modified": "2023-12-06T16:43:32.408000", "created": "2023-12-06T16:43:32.408000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4ac54885a7e866cedca", "name": "Elevated Exposure", "description": "", "modified": "2023-12-06T16:43:24.027000", "created": "2023-12-06T16:43:24.027000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4a3ac21d7733c8e1040", "name": "Malvertising", "description": "", "modified": "2023-12-06T16:43:15.632000", "created": "2023-12-06T16:43:15.632000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a49b0b6595444a3fdd9a", "name": "passkey.tracker.net", "description": "", "modified": "2023-12-06T16:43:07.031000", "created": "2023-12-06T16:43:07.031000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a49207f81d6791c30194", "name": "Cyber Espionage w/B(.) Link / Infringement (Tracking)", "description": "", "modified": "2023-12-06T16:42:58.146000", "created": "2023-12-06T16:42:58.146000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4876f8d1d174f717e7b", "name": "Cyber Espionage w/B(.) Link / Infringement (Tracking)", "description": "", "modified": "2023-12-06T16:42:47.591000", "created": "2023-12-06T16:42:47.591000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a47e33876ed78e19e1da", "name": "Cyber Espionage w/B(.) Link / Infringement (Tracking)", "description": "", "modified": "2023-12-06T16:42:38.479000", "created": "2023-12-06T16:42:38.479000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e178755574d9812e4c9", "name": "Followed lead to brechlerinsurance.com", "description": "", "modified": "2023-12-06T15:07:03.528000", "created": "2023-12-06T15:07:03.528000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1329, "domain": 2068, "hostname": 4185, "URL": 12454, "email": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 20043, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708dff34f37412488dda2a", "name": "Digital Ocean", "description": "", "modified": "2023-12-06T15:06:38.991000", "created": "2023-12-06T15:06:38.991000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 703, "domain": 734, "URL": 5116, "hostname": 1266, "email": 3 }, "indicator_count": 7823, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707f02354c2493b26aca12", "name": "Neustar.biz", "description": "", "modified": "2023-12-06T14:02:42.071000", "created": "2023-12-06T14:02:42.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 584, "domain": 248, "URL": 1305, "hostname": 656, "CVE": 1, "email": 7, "FileHash-SHA1": 6, "FileHash-MD5": 5 }, "indicator_count": 2812, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650361b276a56506778d9231", "name": "Virus:DOS/Goma", "description": "", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:40:34.562000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6503618b59e32805d0bbead7", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503618b59e32805d0bbead7", "name": "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection and Distribution ", "description": "", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:39:55.364000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6503612851bdda6828f488da", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503612851bdda6828f488da", "name": "Elevated Exposure ", "description": "", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:38:16.617000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6503610f5f100cd8acad748e", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503610f5f100cd8acad748e", "name": "Malvertising", "description": "", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:37:51.730000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65036040d3847fa5df0b8496", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65036040d3847fa5df0b8496", "name": "passkey.tracker.net", "description": "", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:34:24.232000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "65035fea189a32c0498667d9", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65035fee309320821ec82f95", "name": "Cyber Espionage w/B(.) Link / Infringement (Tracking)", "description": "Alert: nr-data.net private Apple) iOS Data Collection & Distribution. Automatically flags as an investigation. Tag 'police agency's auto generated. It's possible with Edward Snowden disclosures, it seems unlikely and completely unethical. Extremely graphic adult content with, beacons, tracking Malicious content poses a cyber threat to the general public , iOS privileges, mouse control, phishing, scanning, open registry, service execution, hooking, passkeys and more. \nAppears in a Japanese themed video game and paired targets. Male subject common name have a profession, many with same name. Female target is singular, occupation & professions. Verdict: cyber espionage threat targeting overtly tarnished female. Potential Spreading issues: False distribution by false distributers of targets, hacked, malware singed, intangible downloads. \nAdult content doesn't portray targets. Tagging. \n(New-Issued by Cloudflare \nshi(.)cloudflaressl(.)com)", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:33:02.262000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65035fec3cd7bba66ebcef0b", "name": "Cyber Espionage w/B(.) Link / Infringement (Tracking)", "description": "Alert: nr-data.net private Apple) iOS Data Collection & Distribution. Automatically flags as an investigation. Tag 'police agency's auto generated. It's possible with Edward Snowden disclosures, it seems unlikely and completely unethical. Extremely graphic adult content with, beacons, tracking Malicious content poses a cyber threat to the general public , iOS privileges, mouse control, phishing, scanning, open registry, service execution, hooking, passkeys and more. \nAppears in a Japanese themed video game and paired targets. Male subject common name have a profession, many with same name. Female target is singular, occupation & professions. Verdict: cyber espionage threat targeting overtly tarnished female. Potential Spreading issues: False distribution by false distributers of targets, hacked, malware singed, intangible downloads. \nAdult content doesn't portray targets. Tagging. \n(New-Issued by Cloudflare \nshi(.)cloudflaressl(.)com)", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:33:00.802000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65035fea189a32c0498667d9", "name": "Cyber Espionage w/B(.) Link / Infringement (Tracking)", "description": "Alert: nr-data.net private Apple) iOS Data Collection & Distribution. Automatically flags as an investigation. Tag 'police agency's auto generated. It's possible with Edward Snowden disclosures, it seems unlikely and completely unethical. Extremely graphic adult content with, beacons, tracking Malicious content poses a cyber threat to the general public , iOS privileges, mouse control, phishing, scanning, open registry, service execution, hooking, passkeys and more. \nAppears in a Japanese themed video game and paired targets. Male subject common name have a profession, many with same name. Female target is singular, occupation & professions. Verdict: cyber espionage threat targeting overtly tarnished female. Potential Spreading issues: False distribution by false distributers of targets, hacked, malware singed, intangible downloads. \nAdult content doesn't portray targets. Tagging. \n(New-Issued by Cloudflare \nshi(.)cloudflaressl(.)com)", "modified": "2023-10-14T17:02:29.483000", "created": "2023-09-14T19:32:58.552000", "tags": [ "resolutions", "referrer", "elevated exposure", "malformed links", "fraud", "abuse", "united", "cyber threat", "phishing", "blockchain", "covid19", "coalition", "engineering", "facebook", "police agency", "japan", "download", "blacklist", "site", "cisco umbrella", "assassin's pride chapter 12 scans", "chapter", "pride chapter", "assassin", "read", "viewed today", "promise", "apotheosis", "rampage", "magister", "goma", "conan", "magician", "click", "Suricata Alert", "Malvertising", "ssl certificate", "contacted", "execution", "whois record", "pfqlnhi4ex http", "pe resource", "investigation", "team", "metro", "malicious", "social engineering", "cyber crime Alina", "tracker(.)net", "spyware", "monitoring", "tracking", "MITRE ATT&CKS", "malware", "http://www.evantrah.com/b0ar/ (phishing)", "https(:)//b(.)link / infringement (tracking)", "37.235.49.205 (scan host)", "scan hosts", "passkey", "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection", "nr-data.net", "iOS Unlocker", "iOS Data Collection", "Private Data", "distribution", "hacking" ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "Data Analysis", "Pattern Behavior Research" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Canada", "Germany" ], "malware_families": [ { "id": "Alina POS", "display_name": "Alina POS", "target": null }, { "id": "Virus:DOS/Goma", "display_name": "Virus:DOS/Goma", "target": "/malware/Virus:DOS/Goma" }, { "id": "DEcovid19", "display_name": "DEcovid19", "target": null }, { "id": "Assassin", "display_name": "Assassin", "target": null }, { "id": "Virus:Win32/Magistr", "display_name": "Virus:Win32/Magistr", "target": "/malware/Virus:Win32/Magistr" }, { "id": "Darktrack RAT", "display_name": "Darktrack RAT", "target": null }, { "id": "B.link/infringement (tracking)", "display_name": "B.link/infringement (tracking)", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "TrojanDownloader:JS/MalSpam", "display_name": "TrojanDownloader:JS/MalSpam", "target": "/malware/TrojanDownloader:JS/MalSpam" } ], "attack_ids": [ { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2931, "domain": 1095, "hostname": 1798, "URL": 5593, "FileHash-MD5": 23, "FileHash-SHA1": 17, "CVE": 1 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628077c330f33dfd254e5a8b", "name": "Followed lead to brechlerinsurance.com", "description": "", "modified": "2022-06-13T00:00:32.864000", "created": "2022-05-15T03:47:15.835000", "tags": [ "bomboraconsent", "gdpr", "ccpa", "date", "nthis", "array", "typeof e", "typeerror", "class", "image", "typeof symbol", "afsh", "copyright", "rights reserved", "comscore", "typeof o", "uspapi", "null", "s271733878", "secure hash", "algorithm", "sha1", "a1732584193", "1518500249", "imgurl", "oiqfpsjs", "script", "iframe", "oiqaddpagecat", "inte", "oiqdotag", "track", "regexp", "pseudo", "child", "typeof b", "error", "sufeffxa0", "attr", "void", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "uddb0uddb3", "udd74udd75", "wpbruiserclient", "browserinfo", "mozinnerscreenx", "xmlhttprequest", "activexobject", "bf7e56f2f3", "zpbcat", "zcluidkrs", "promise", "boolean", "verification", "object", "reflect", "typeof proxy", "demo", "shareaholic", "sfunction", "bearer", "patch", "accept", "function", "symbol", "weakmap", "dataview", "typeof module", "cfunction", "event", "afunction", "efunction", "mfunction", "binnerheightc", "number", "string", "trackevent", "click", "uint8array", "gtmng3vqql", "classes", "path", "code", "typeof r", "function code", "typeof n", "angular", "angularjs", "ember", "meteor", "zepto", "jquery", "vd", "utmb", "firefox", "shockwave flash", "utma", "utmz", "ieproto", "typeof", "widgetrootqa", "driftconductor", "addcookiedomain", "hubspot", "typeof t", "quora pixel", "4294967295", "uint32array", "viewcontent", "infinity", "register domain names", "domain registration", "business web hosting services", "web hosting provider", "business email accounts", "web site hosting", "domain name registration", "ecommerce hosting services", "buy domains", "bulk domain search", "domain name search", "domain hosting", "registrations", "websites", "whois", "registrar", "registry", "domainpeople", "domain name", "registration", "year discount", "web hosting", "us whois", "us contact", "lookup alerts", "support login", "call" ], "references": [ "https://domainpeople.com", "xfe-URL-Domainpeople.com-stix2-2.1-export.json", "xfe-URL-shareaholic.com-stix2-2.1-export.json", "https://js.hubspot.com/analytics/1652585100000/210895.js", "https://js.driftt.com/include/1652585100000/mezhk4858hn8.js", "https://bam.nr-data.net/1/f37cf8a208?a=1772678&v=1216.487a282&to=dlwNQEdeWVgHSxlDV1JWEBtdXlhR&rst=1074&ck=1&ref=https://www.shareaholic.com/&ap=9&be=11&fe=795&dc=37&af=err,xhr,stn,ins&perf=%7B%22timing%22:%7B%22of%22:1652584962293,%22n%22:0,%22f%22:0,%22dn%22:0,%22dne%22:0,%22c%22:0,%22s%22:0,%22ce%22:0,%22rq%22:0,%22rp%22:0,%22rpe%22:0,%22dl%22:6,%22di%22:37,%22ds%22:37,%22de%22:45,%22dc%22:636,%22l%22:793,%22le%22:796%7D,%22navigation%22:%7B%22ty%22:2%7D%7D&fcp=123&jsonp=NREUM.setToken", "https://js-agent.newrelic.com/nr-1216.min.js", "https://js-na1.hs-scripts.com/210895.js", "https://www.googletagmanager.com/gtm.js?id=GTM-NG3VQQL", "https://dsms0mj1bbhn4.cloudfront.net/assets/pages-afd7ed46648f01def74df6e4c245da53bde609b863bf63ff94a87154f2f82de0.js", "https://dsms0mj1bbhn4.cloudfront.net/webpack/vendors~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~7d559390-c92fe44d0731743b2d8e.js", "https://dsms0mj1bbhn4.cloudfront.net/webpack/default~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~2fbcff42-06fb1418b4e0c0383855.js", "https://dsms0mj1bbhn4.cloudfront.net/ui-header/loader.js", "https://de.tynt.com/deb/v2?id=sh!sh&dn=AFSH&cc=1&r=", "http://www.brechlerinsurance.com/?gdbc-client=3.1.25-1652585170383", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/wp-emoji-release.min.js?ver=479aaeefa13948f8aa1a2479d7a751df", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/jquery/jquery.js?ver=1.12.4", "https://partner.shareaholic.com/partners.js?location=http%3A%2F%2Fwww.brechlerinsurance.com%2F&cl=en-US&id_sync=19da2f0f-8191-4a73-b27d-e95f97e9a686&minify=1&pvs=1&site=d016349f31f268b5ce94fa8e70f6eddd", "https://px.owneriq.net/stas/s/sholic.js", "https://i.simpli.fi/dpx.js?cid=66112&m=0&sifi_tuid=37830&referrer=http%3A%2F%2Fwww.brechlerinsurance.com%2F", "https://sb.scorecardresearch.com/beacon.js", "https://cdn.tynt.com/afsh.js", "xfe-URL-ml314.com-stix2-2.1-export.json", "xfe-URL-bombora.com-stix2-2.1-export.json", "xfe-URL-Owneriq.net-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BomboraConsent", "display_name": "BomboraConsent", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4185, "URL": 12454, "FileHash-SHA256": 1329, "CVE": 2, "domain": 2068, "email": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 20043, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "627fe16ae54614d3d59de881", "name": "Digital Ocean", "description": "\u2026", "modified": "2022-06-13T00:00:32.864000", "created": "2022-05-14T17:05:46.360000", "tags": [ "min", "qe", "photostatus", "hero stripe", "object", "boolean", "license", "urlsearchparams", "typeof t", "events", "pattrick hper", "bsd3clause", "typeerror", "react", "date", "error", "this", "flex", "open", "facebook", "close", "february", "april", "june", "august", "dead", "frozen", "blank", "null", "mutation", "roboto", "4096", "unknown", "clock", "period", "footer", "android", "service", "invisible", "sphinx", "checkbox", "click", "typeof e", "referenceerror", "typeof symbol", "router", "function", "intl", "push", "body", "meta", "string", "url path", "url object", "full", "url api", "nativeurl", "searchparams", "copyright", "closure library", "includes code", "regexp", "html", "plugindetect", "jeff mott", "quicktime", "flash shockwave", "vlc adobereader", "span", "or conditions", "post", "array", "apache license", "version", "this code", "is provided", "on an", "ud83d", "ud83e", "u2695u2696u2708", "udc66udc67", "udc68udc69", "ud83c", "dfunction", "typeof u", "u2640u2642", "9000", "typeof r", "weakmap", "asyncfunction", "proxy", "customevent", "uint8array", "09af", "ver0", "tag0", "extdata0", "ua ch", "window", "documentcookie", "typeof self", "blob", "promise", "reduceright", "number", "l420", "gnp82xmkw0p", "json", "void", "public", "github", "meetup", "swarm", "jump", "sign", "releases", "packages", "contributors", "topics", "star", "contact", "code", "stars" ], "references": [ "xfe-URL-Meetup.com_pro_digitalocean_-stix2-2.1-export.json", "https://github.com/meetup/swarm-ui", "https://www.googletagmanager.com/gtag/js?id=G-NP82XMKW0P&l=dataLayer&cx=c", "https://www.meetup.com/proxydirectory/tags/239562121304/tag.js", "https://www.meetup.com/pro_static/en-US/0.f2cf4c3f.js", "https://dna8twue3dlxq.cloudfront.net/js/profitwell.js", "https://cdn.sift.com/s.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/922061185/?random=1652546907471&cv=9&fst=1652546907471&num=1&label=BaPJCIf2_WYQgZPWtwM&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=2&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg5b0&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.meetup.com%2FDigitalOceanMoscow%2F&ref=https%3A%2F%2Fwww.meetup.com%2Fpro%2Fdigitalocean%2F&tiba=DigitalOcean%20Moscow%20(Moscow%2C%20Russia)%20%7C%20Meetup&hn=www.googleadser", "https://cdn.polyfill.io/v2/polyfill.min.js?features=default-3.6,fetch,Intl,Intl.~locale.en-US,Array.prototype.find,Array.prototype.includes,Object.values&flags=gated", "https://www.meetup.com/mu_static/react.ddd38c26.js", "https://www.meetup.com/mu_static/en-US/app.0ff22766.js", "xfe-URL-Sift.com-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MIN", "display_name": "MIN", "target": null }, { "id": "PhotoStatus", "display_name": "PhotoStatus", "target": null }, { "id": "Qe", "display_name": "Qe", "target": null }, { "id": "Hero Stripe", "display_name": "Hero Stripe", "target": null }, { "id": "DocumentCookie", "display_name": "DocumentCookie", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1266, "URL": 5116, "domain": 734, "FileHash-SHA256": 703, "CVE": 1, "email": 3 }, "indicator_count": 7823, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "1406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6216651300b16bc2a50500e6", "name": "Neustar.biz", "description": "", "modified": "2022-03-25T00:03:52.440000", "created": "2022-02-23T16:47:15.827000", "tags": [ "whois record", "ssl certificate", "whois", "registry", "biz registry", "operator", "historical ssl", "graph summary", "atreya", "neustar", "july", "am manos", "antonakakis", "burke", "joffe", "foster", "dejong", "robinson", "steve dejong", "mark robinson", "win32 exe", "microsoft", "date", "subdomains", "communicating", "detections type", "name", "server", "redacted for", "domain status", "privacy tech", "privacy admin", "algorithm", "key identifier", "x509v3 subject", "country", "umbrella", "code" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 656, "URL": 1305, "domain": 248, "FileHash-SHA256": 584, "CVE": 1, "email": 7, "FileHash-SHA1": 6, "FileHash-MD5": 5 }, "indicator_count": 2812, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/she-loves-how-i-pound-her-pussy", "103.224.182.253 [command_and_control]", "http://mangahasu.se/assassins-pride/chapter-12-a-promise-c629157.html?__cf_chl_jschl_tk__=7b4aeee234e6fcb906189a0ee99bff391aedad3f-1591653736-0-ATuxnw3UaJxen2hXCyv", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Pattern Behavior Research", "millet-usgc-1.palantirfedstart.com", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "checkip.dyndns.org [command_and_control]", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "103.224.182.246 [command_and_control]", "https://www.googletagmanager.com/gtag/js?id=G-NP82XMKW0P&l=dataLayer&cx=c", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "3.163.189.120 [Tracking]", "https://cdn.polyfill.io/v2/polyfill.min.js?features=default-3.6,fetch,Intl,Intl.~locale.en-US,Array.prototype.find,Array.prototype.includes,Object.values&flags=gated", "https://tulach.cc/ [phishing attacks]", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "https://www.meetup.com/proxydirectory/tags/239562121304/tag.js", "https://passwords.google/?utm_medium=hpp&utm", "https://dsms0mj1bbhn4.cloudfront.net/webpack/vendors~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~7d559390-c92fe44d0731743b2d8e.js", "https://bam.nr-data.net/1/f37cf8a208?a=1772678&v=1216.487a282&to=dlwNQEdeWVgHSxlDV1JWEBtdXlhR&rst=1074&ck=1&ref=https://www.shareaholic.com/&ap=9&be=11&fe=795&dc=37&af=err,xhr,stn,ins&perf=%7B%22timing%22:%7B%22of%22:1652584962293,%22n%22:0,%22f%22:0,%22dn%22:0,%22dne%22:0,%22c%22:0,%22s%22:0,%22ce%22:0,%22rq%22:0,%22rp%22:0,%22rpe%22:0,%22dl%22:6,%22di%22:37,%22ds%22:37,%22de%22:45,%22dc%22:636,%22l%22:793,%22le%22:796%7D,%22navigation%22:%7B%22ty%22:2%7D%7D&fcp=123&jsonp=NREUM.setToken", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "https://cdn.sift.com/s.js", "Gowi Live Bot.exe", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/jquery/jquery.js?ver=1.12.4", "https://dsms0mj1bbhn4.cloudfront.net/assets/pages-afd7ed46648f01def74df6e4c245da53bde609b863bf63ff94a87154f2f82de0.js", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "https://sb.scorecardresearch.com/beacon.js", "https://www.mumuplayer.com/redirect/customerservice/_wig", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI", "https://dsms0mj1bbhn4.cloudfront.net/ui-header/loader.js", "http://consolefoundry.date/one/gate.php", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "https://www.googletagmanager.com/gtm.js?id=GTM-NG3VQQL", "https://domainpeople.com", "https://js.driftt.com/include/1652585100000/mezhk4858hn8.js", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "tulach.cc [AM | phishing]", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/922061185/?random=1652546907471&cv=9&fst=1652546907471&num=1&label=BaPJCIf2_WYQgZPWtwM&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=2&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg5b0&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.meetup.com%2FDigitalOceanMoscow%2F&ref=https%3A%2F%2Fwww.meetup.com%2Fpro%2Fdigitalocean%2F&tiba=DigitalOcean%20Moscow%20(Moscow%2C%20Russia)%20%7C%20Meetup&hn=www.googleadser", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "https://github.com/meetup/swarm-ui", "https://www.meetup.com/mu_static/react.ddd38c26.js", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "http://freedns.afraid.org/images/apple.gif", "Researched: https://hcpf.colorado.gov/", "https://www.meetup.com/pro_static/en-US/0.f2cf4c3f.js", "xfe-URL-Owneriq.net-stix2-2.1-export.json", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "https://www.meetup.com/mu_static/en-US/app.0ff22766.js", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "Malicious IP Contacted: 69.42.215.252", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "xfe-URL-Meetup.com_pro_digitalocean_-stix2-2.1-export.json", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "104.86.182.8 [command_and_control]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "xfe-URL-Sift.com-stix2-2.1-export.json", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "xfe-URL-shareaholic.com-stix2-2.1-export.json", "https://i.simpli.fi/dpx.js?cid=66112&m=0&sifi_tuid=37830&referrer=http%3A%2F%2Fwww.brechlerinsurance.com%2F", "https://de.tynt.com/deb/v2?id=sh!sh&dn=AFSH&cc=1&r=", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.brechlerinsurance.com/?gdbc-client=3.1.25-1652585170383", "https://dsms0mj1bbhn4.cloudfront.net/webpack/default~header~related-content~share-buttons~site-settings~user-settings~yarpp-header~yarpp-sites~ya~2fbcff42-06fb1418b4e0c0383855.js", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "https://www.reddit.com/user/", "xfe-URL-ml314.com-stix2-2.1-export.json", "https://js.hubspot.com/analytics/1652585100000/210895.js", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "Data Analysis", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "https://px.owneriq.net/stas/s/sholic.js", "xfe-URL-bombora.com-stix2-2.1-export.json", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "https://partner.shareaholic.com/partners.js?location=http%3A%2F%2Fwww.brechlerinsurance.com%2F&cl=en-US&id_sync=19da2f0f-8191-4a73-b27d-e95f97e9a686&minify=1&pvs=1&site=d016349f31f268b5ce94fa8e70f6eddd", "https://js-na1.hs-scripts.com/210895.js", "Alerts: packer_unknown", "https://cdn.tynt.com/afsh.js", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "www.supernetforme.com [command_and_control]", "System has placed affected on multiple policies cancelling private policy without notice.", "86.140.232.148 [scanning_host]", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "xfe-URL-Domainpeople.com-stix2-2.1-export.json", "rp.downloadastrocdn.com [command_and_control]", "https://js-agent.newrelic.com/nr-1216.min.js", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "http://www.brechlerinsurance.com/wwblcms/wp-includes/js/wp-emoji-release.min.js?ver=479aaeefa13948f8aa1a2479d7a751df", "Researched publicly available information provided by representative of a target\u2019s estate", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "ddos.dnsnb8.net [command_and_control]", "https://dna8twue3dlxq.cloudfront.net/js/profitwell.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojan.agent", "B.link/infringement (tracking)", "Qe", "Decovid19", "Vd", "Psw:win32/vb.cu", "Trojandownloader:js/malspam", "Lizar", "Static ai - malicious pe", "Win.trojan.emotet-9850453", "Domino", "Worm:win32/autorun!atmn", "Tulach malware", "Win.dropper.nanocore-10021490-0", "Hero stripe", "Photostatus", "Win.trojan.blacknetrat-7838854-0", "Documentcookie", "Nso", "Carbanak", "Rokrat", "Cobalt strike", "Other malware", "Code overlap", "Virus:dos/goma", "Project nemesis", "Agent tesla", "Am", "Nsis", "Virus:win32/magistr", "Adware.pcappstore/veryfast", "Honeypot", "Alina pos", "Darktrack rat", "Malware", "Bomboraconsent", "Win.packed.remcos-10024510-0", "Min", "Assassin", "Reduceright" ], "industries": [ "Financial", "Hospitality", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 28, "pulses": [ { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e2e68815e273bfc30a2331", "name": "NSO Group \u2022 OTX Auto Pulse \u2022 bethesda[.]net ", "description": "", "modified": "2025-11-04T20:00:18.711000", "created": "2025-10-05T21:43:36.998000", "tags": [ "present aug", "present jun", "united", "present sep", "status", "present jul", "elder scrolls", "aaaa", "present oct", "creation date", "body", "date", "fallout", "evil", "title", "server", "domain status", "registrar abuse", "dnssec", "domain name", "contact email", "contact phone", "registrar iana", "host name", "handle", "rdap database", "iana registrar", "entity roles", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus oamazon", "cnamazon rsa", "m03 validity", "subject public", "key info", "record type", "ttl value", "india unknown", "present dec", "a domains", "script urls", "search", "present may", "present apr", "present mar", "present feb", "service", "meta", "encrypt", "passive dns", "entries", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "trojan", "servers", "name servers", "hostname add", "ip address", "domain", "showing", "spyware", "pegasus", "graphite", "paragon", "nso group", "security", "samsung", "google", "amazon", "malware", "nso", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "script", "ascii text", "pattern match", "null", "refresh", "starfield", "heretic", "doom", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "code", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NSO", "display_name": "NSO", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": "68e2db3a16fcfd7d323f105b", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 79, "FileHash-SHA256": 322, "email": 6, "hostname": 1577, "URL": 4971, "domain": 927 }, "indicator_count": 7951, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e2db3a16fcfd7d323f105b", "name": "[ https://] bethesda[.]net - Spyware", "description": "Bethesda net | Appears as a Gaming platform - Steam ~ | Is Offensive Security | \n\n(cloudfront.net)\n\nName :Legal Department\nName Servers :NS-1306.AWSDNS-35.ORG\n3.163.24.4\nReverse DNS\nserver-3-163-24-4.hio52.r.cloudfront.net\nLocation:\nUnited States of America\nASN :\nASNone\nPositive: bad traffic, spyware \nRelated Tags from 325+\nPulses some may no longer be relevant just related : Spyware\n, \nTrojan\n, \nPegasus\n, \nDNS\n, \nGraphite\n, \nParagon\n, \nNSO\n, \nNSO Group\n, \nSecurity\n, \nSamsung\n, \nGoogle\n, \nAmazon\n, \nHP\n, \nCloudflare\n, \nEndgame\n, \nEurope\n, \nEspionage\n, \nMalware\n | (Seen before: \nhelixcloud.ch)\nI\u2019d like a a try pulse from OTX , not possible , page kept refreshing\u2026", "modified": "2025-11-04T20:00:18.711000", "created": "2025-10-05T20:55:22.423000", "tags": [ "present aug", "present jun", "united", "present sep", "status", "present jul", "elder scrolls", "aaaa", "present oct", "creation date", "body", "date", "fallout", "evil", "title", "server", "domain status", "registrar abuse", "dnssec", "domain name", "contact email", "contact phone", "registrar iana", "host name", "handle", "rdap database", "iana registrar", "entity roles", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus oamazon", "cnamazon rsa", "m03 validity", "subject public", "key info", "record type", "ttl value", "india unknown", "present dec", "a domains", "script urls", "search", "present may", "present apr", "present mar", "present feb", "service", "meta", "encrypt", "passive dns", "entries", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "trojan", "servers", "name servers", "hostname add", "ip address", "domain", "showing", "spyware", "pegasus", "graphite", "paragon", "nso group", "security", "samsung", "google", "amazon", "malware", "nso", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "script", "ascii text", "pattern match", "null", "refresh", "starfield", "heretic", "doom", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "code", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NSO", "display_name": "NSO", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 79, "FileHash-SHA256": 322, "email": 6, "hostname": 1577, "URL": 4971, "domain": 927 }, "indicator_count": 7951, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bbf3e40e3ce8a74aa89545", "name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang", "description": "", "modified": "2025-10-06T08:03:23.285000", "created": "2025-09-06T08:42:12.787000", "tags": [ "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "search", "title", "date", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "get http", "dns resolutions", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cnamazon rsa", "m03 oamazon", "thumbprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "yara detections", "contacted", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "detections tls", "indicator role", "title added", "active related", "entries", "role title", "added active", "filehashmd5", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null }, { "id": "RokRAT", "display_name": "RokRAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Hospitality", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 539, "FileHash-SHA1": 389, "FileHash-SHA256": 3386, "domain": 862, "hostname": 1155, "URL": 4091, "CVE": 3, "SSLCertFingerprint": 5 }, "indicator_count": 10430, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bbdb22e3d606ae8fb5cda8", "name": "HCPF | Department of Health Care Policy and Financing", "description": "Project Nemesis - Affects Department of Health Care Policy and Financing | Family representative repeatedly told past bills aren\u2019t being paid by United Healthcare. Argus Insurance (unknown entity) was Policy on record target never had. FR was given information regarding HCPF which was being viewed by past vendor seen in (https://otx.alienvault.com/pulse/68bbb31f6d91989d7fcd9592) | Issues with HCPF have been an issue for some time in isolated scenarios. It\u2019s unclear how at least one person keeps getting their name, bills and life pulled into this. Target PURCHASED a Healthcare policy via agent before major social engineering attacks. Same entity literally robs targets. Gift cards, phone services, cloud storage, account, insurance policies, bank account access, tax refunds, paid claims reversed & taken from target\u2019s account.\nMore research needed. Flaws in new system could jeopardize many. \n#trulymissed #rip #techbrohell #palantir", "modified": "2025-10-06T05:01:18.794000", "created": "2025-09-06T06:56:34.649000", "tags": [ "federal changes", "health first", "colorado", "child health", "plan plus", "newimpact", "medicaidour", "impact", "medicaid page", "medicaid", "beware", "text/html", "trackers", "iframes", "external-resources", "new relic", "g1gv3h3sxc0", "utc gcw970gh4gg", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "no expiration", "url https", "type indicator", "role title", "related pulses", "hostname https", "m4e5930", "hostname", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "search", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "urls", "title", "date", "resolved ips", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "endgame systems" ], "references": [ "Researched: https://hcpf.colorado.gov/", "www.onyx-ware.com \u2022 https://www.endgamesystems.com/", "millet-usgc-1.palantirfedstart.com", "https://securityaffairs.com/109671/hacking/50000-home-cameras-hacked.html", "https://passwords.google/?utm_medium=hpp&utm_source=google&utm_campaign=sid2023aunonenms", "https://passwords.google/?utm_medium=hpp&utm", "https://securityaffairs.com/181338/security/google-fixed-chrome-flaw-found-by-big-sleep-ai.html", "Researched publicly available information provided by representative of a target\u2019s estate", "System has placed affected on multiple policies cancelling private policy without notice.", "Paid for plan long after entity put target on a state plan. Target audited for making too much money (framed)", "Provided documented evidence of appealed state issued plan and disclosed financials.", "Won appeal. Denied stimulus until passing another audit showing taxable income and filed taxes", "I hope this goes smoothly. I believe will be a nightmare as witnessed. I hope I\u2019m wrong.", "State (or random \u2022_- hackers) erased evidence of targets insurance all paid for by target.", "Target also owned an online brokerage & lead company, was agent & insurance marketer for years.", "September began with false information, defaulted claims , denials from authorized services rendered years prior.", "If someone has Medicare it\u2019s wise to check with carrier & providers to see policies generated by AI" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Hospitality", "Financial", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1395, "URL": 4304, "CVE": 1, "domain": 694, "FileHash-SHA256": 1790, "FileHash-MD5": 183, "FileHash-SHA1": 103, "SSLCertFingerprint": 5 }, "indicator_count": 8475, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4bc7487548e66d6f004", "name": "Virus:DOS/Goma", "description": "", "modified": "2023-12-06T16:43:40.375000", "created": "2023-12-06T16:43:40.375000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4b4259cafcf79907b2f", "name": "APPLE ALERT: nr-data.net - Private Apple and iOS Data Collection and Distribution", "description": "", "modified": "2023-12-06T16:43:32.408000", "created": "2023-12-06T16:43:32.408000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4ac54885a7e866cedca", "name": "Elevated Exposure", "description": "", "modified": "2023-12-06T16:43:24.027000", "created": "2023-12-06T16:43:24.027000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4a3ac21d7733c8e1040", "name": "Malvertising", "description": "", "modified": "2023-12-06T16:43:15.632000", "created": "2023-12-06T16:43:15.632000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2931, "hostname": 1798, "FileHash-MD5": 23, "FileHash-SHA1": 17, "URL": 5593, "domain": 1095 }, "indicator_count": 11458, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "serverless-dev.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "serverless-dev.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776629520.9063375 }