{
"type": "Domain",
"indicator": "sharepoint.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/sharepoint.com",
"alexa": "http://www.alexa.com/siteinfo/sharepoint.com",
"indicator": "sharepoint.com",
"type": "domain",
"type_title": "Domain",
"validation": [
{
"source": "akamai",
"message": "Akamai rank: #7364",
"name": "Akamai Popular Domain"
},
{
"source": "majestic",
"message": "Whitelisted domain sharepoint.com",
"name": "Whitelisted domain"
},
{
"source": "whitelist",
"message": "Whitelisted domain sharepoint.com",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 325465742,
"indicator": "sharepoint.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc70fcbd3f613502e1f7",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T09:28:38.049000",
"created": "2026-04-17T06:00:16.867000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 442,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24911,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc6fd3c4022e08db781d",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T06:51:33.372000",
"created": "2026-04-17T06:00:15.760000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 441,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d48d3b4900e932be011875",
"name": "Free Automated Malware Analysis Service - Falcon Sandbox -",
"description": "",
"modified": "2026-04-09T01:25:44.696000",
"created": "2026-04-07T04:51:07.162000",
"tags": [
"ip address",
"december",
"c2 server",
"famous chollima",
"hostwinds",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"threat level",
"ansi",
"date",
"pcap",
"pcap processing",
"report domain",
"report",
"sha256",
"filepath",
"runtime process",
"path",
"suspicious",
"hostile",
"hybrid",
"accept",
"close",
"click",
"hosts",
"malicious",
"general",
"local",
"factory",
"strings",
"contact",
"united",
"flag",
"germany germany",
"enom",
"gmt flag",
"server",
"name server",
"contacted hosts",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"prefetch8 ansi",
"show process",
"hash seen",
"ck id",
"win64",
"gecko",
"mitre att",
"comspec",
"april",
"refresh",
"model",
"mozi",
"window",
"dest"
],
"references": [
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02",
"https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6",
"https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 48,
"FileHash-SHA256": 84,
"domain": 72,
"URL": 112,
"FileHash-MD5": 94,
"FileHash-SHA1": 68,
"email": 2,
"hostname": 91,
"SSLCertFingerprint": 12
},
"indicator_count": 583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d48d3cfab80e8a75ef85c1",
"name": "Free Automated Malware Analysis Service - Falcon Sandbox -",
"description": "",
"modified": "2026-04-07T05:22:42.355000",
"created": "2026-04-07T04:51:08.017000",
"tags": [
"ip address",
"december",
"c2 server",
"famous chollima",
"hostwinds",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"threat level",
"ansi",
"date",
"pcap",
"pcap processing",
"report domain",
"report",
"sha256",
"filepath",
"runtime process",
"path",
"suspicious",
"hostile",
"hybrid",
"accept",
"close",
"click",
"hosts",
"malicious",
"general",
"local",
"factory",
"strings",
"contact",
"united",
"flag",
"germany germany",
"enom",
"gmt flag",
"server",
"name server",
"contacted hosts",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"prefetch8 ansi",
"show process",
"hash seen",
"ck id",
"win64",
"gecko",
"mitre att",
"comspec",
"april",
"refresh",
"model",
"mozi",
"window",
"dest"
],
"references": [
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02",
"https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6",
"https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 48,
"FileHash-SHA256": 84,
"domain": 72,
"URL": 113,
"FileHash-MD5": 94,
"FileHash-SHA1": 68,
"email": 2,
"hostname": 91,
"SSLCertFingerprint": 12
},
"indicator_count": 584,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d48d3b4cb631f407faf565",
"name": "Free Automated Malware Analysis Service - Falcon Sandbox -",
"description": "",
"modified": "2026-04-07T04:55:44.376000",
"created": "2026-04-07T04:51:07.591000",
"tags": [
"ip address",
"december",
"c2 server",
"famous chollima",
"hostwinds",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"threat level",
"ansi",
"date",
"pcap",
"pcap processing",
"report domain",
"report",
"sha256",
"filepath",
"runtime process",
"path",
"suspicious",
"hostile",
"hybrid",
"accept",
"close",
"click",
"hosts",
"malicious",
"general",
"local",
"factory",
"strings",
"contact",
"united",
"flag",
"germany germany",
"enom",
"gmt flag",
"server",
"name server",
"contacted hosts",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"prefetch8 ansi",
"show process",
"hash seen",
"ck id",
"win64",
"gecko",
"mitre att",
"comspec",
"april",
"refresh",
"model",
"mozi",
"window",
"dest"
],
"references": [
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02",
"https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6",
"https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 48,
"FileHash-SHA256": 84,
"domain": 72,
"URL": 112,
"FileHash-MD5": 94,
"FileHash-SHA1": 68,
"email": 2,
"hostname": 91,
"SSLCertFingerprint": 12
},
"indicator_count": 583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a77cfcac37b94cdafabb0d",
"name": "Outlook",
"description": "IOCS",
"modified": "2026-04-03T08:24:06.638000",
"created": "2026-03-04T00:29:48.657000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 712,
"domain": 759,
"hostname": 194,
"FileHash-SHA1": 148,
"email": 37,
"FileHash-SHA256": 437,
"FileHash-MD5": 118,
"CVE": 1
},
"indicator_count": 2406,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ce1c7b60a3065cc75b7e23",
"name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?",
"description": "",
"modified": "2026-04-02T07:42:49.581000",
"created": "2026-04-02T07:36:27.829000",
"tags": [
"raspberry pi",
"hdmi",
"hdmi mode",
"uncomment",
"additional",
"usb mass",
"pi02",
"pi zero",
"zero",
"enable drm",
"program",
"license",
"free software",
"foundation",
"general public",
"gnu general",
"public license",
"the program",
"copyright",
"sections",
"june",
"general",
"april",
"vice",
"drivers",
"analog",
"digital",
"video",
"bus support",
"media",
"accelerometers",
"capacitance",
"resolver",
"android",
"flash",
"monitoring",
"codec",
"loop",
"light",
"linear",
"tools",
"class",
"speakup",
"core support",
"legacy",
"kernel",
"this software",
"including",
"but not",
"limited to",
"ltd all",
"redistributions",
"disclaimer",
"is provided",
"damage",
"info",
"params",
"gpio",
"gpio pin",
"select",
"digital volume",
"load",
"gpios",
"compute module",
"spi bus",
"front",
"clock",
"speed",
"tiny",
"kali",
"oled",
"systemd",
"digi",
"miso",
"screen",
"show",
"global property",
"bootmenu",
"label",
"booting",
"please",
"javascript",
"entity",
"file list",
"size first",
"credits text",
"readme text",
"no meaningful",
"url list",
"status https",
"domain list",
"enom",
"registrar",
"ltd dba",
"com laude",
"ip address",
"ip adresses",
"U of A",
"GoA",
"Treaty 6",
"Treaty 7",
"Treaty 8",
"AHS"
],
"references": [
"cmdline.txt",
"config.txt",
"COPYING.linux",
"config-5.15.44-Re4son-v7+",
"config-5.15.44-Re4son-v7l+",
"config-5.15.44-Re4son-v8l+",
"config-5.15.44-Re4son+",
"config-5.15.44-Re4son-v8+",
"grub_background.sh",
"LICENCE.broadcom",
"README",
"theme.txt",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e",
"https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1050",
"name": "New Service",
"display_name": "T1050 - New Service"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Agriculture",
"Finance",
"Transportation"
],
"TLP": "white",
"cloned_from": "698f07428f6e35876e034e41",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 812,
"URL": 2492,
"hostname": 1171,
"FileHash-SHA256": 2057,
"CVE": 2,
"FileHash-MD5": 14,
"FileHash-SHA1": 16,
"email": 2,
"CIDR": 118
},
"indicator_count": 6684,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6989077aa8c925b423ef9354",
"name": "Hybrid Managed Service Actor / provisioned insider",
"description": "An artifact was observed on May 4, 2025, utilizing a document lure. Analysis of the artifact indicated a failed cryptographic validation. This activity occurred specifically within the 24-hour period preceding the May 5, 2025, Microsoft DMARC/DKIM/SPF enforcement.\nThis activity was followed by the execution of suspected malware payloads, leading to the unauthorized transfer of data. The observed data exfiltration endpoint was hasthe.technology.",
"modified": "2026-03-31T21:36:40.020000",
"created": "2026-02-08T22:00:24.065000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 414,
"FileHash-SHA256": 115,
"CVE": 91,
"hostname": 374,
"URL": 657,
"email": 19,
"JA3": 1,
"FileHash-MD5": 13,
"FileHash-SHA1": 13
},
"indicator_count": 1697,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6988faa4f668aeeed6f86da8",
"name": "zero trust",
"description": "researcher credit: msudoSOS : CLBCatQ.DLL\tThe malware is hijacking your COM+ Class Catalog to hide as a System Service.\nCoMarshalInterface\tYour identity is being \"packaged\" and sent via the LTE Trial to the '' Edge.\npid 2356 / 2812\tThese are the active processes currently communicating with the 49.12.22.106 C2 server.",
"modified": "2026-03-27T09:05:26.285000",
"created": "2026-02-08T21:05:37.829000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/C2Lop",
"display_name": "ALF:HeraklezEval:Trojan:Win32/C2Lop",
"target": null
},
{
"id": "#LowFi:HSTR:PyInstaller_Packaged_Script",
"display_name": "#LowFi:HSTR:PyInstaller_Packaged_Script",
"target": null
},
{
"id": "#Exploit:Win32/BlofeldsCat",
"display_name": "#Exploit:Win32/BlofeldsCat",
"target": "/malware/#Exploit:Win32/BlofeldsCat"
},
{
"id": "TEL:Exploit:HTML/PSWebkit",
"display_name": "TEL:Exploit:HTML/PSWebkit",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 394,
"hostname": 250,
"CVE": 112,
"URL": 190,
"email": 25,
"JA3": 1,
"FileHash-MD5": 191,
"FileHash-SHA1": 214,
"FileHash-SHA256": 607
},
"indicator_count": 1984,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 60,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698904c316bc7710b967d01d",
"name": "Rare Tier 1 Persistence - Critical \"Patched\", Non Patched Vulnerabilities Remain bypassing Lockdown Mode",
"description": "Researcher Note (Feb 08, 2026):\nThis artifact represents a sophisticated Cross-Protocol Mesh. Observations confirm that the Cymt/Nemucod wrapper is being utilized as a delivery vehicle for a Firmware-resident ELF binary (Mirai variant).\nThe persistence is notable for its ability to survive Full DFU Restores and Faraday-isolated states, likely due to JTAG-level interaction with the Power Management IC (Chip 4799). This is not a standard opportunistic infection; it is a targeted provisioning event leveraging IDMSA (Identity Management) bridges and Verizon/Akamai Edge infrastructure.\nThe integration with CalendarKit and Maps for geofenced execution suggests a highly coordinated surveillance objective. Forensic analysts should pay specific attention to the sizeofrawdata_antidbg anomalies, which indicate a focus on bypassing Apple Lockdown Mode and Secure Enclave. \nresearcher credit: msudoSOS",
"modified": "2026-03-27T09:05:26.285000",
"created": "2026-02-08T21:48:49.147000",
"tags": [
"#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 909,
"URL": 1779,
"CVE": 126,
"domain": 659,
"email": 23,
"JA3": 1,
"FileHash-MD5": 230,
"FileHash-SHA1": 227,
"FileHash-SHA256": 934,
"CIDR": 13
},
"indicator_count": 4901,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 54,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698918baac756a084ef67089",
"name": "151.101.0.22",
"description": "151.101.0.22",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-08T23:13:59.775000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 317,
"domain": 494,
"URL": 286,
"CVE": 78,
"email": 33,
"JA3": 1,
"FileHash-MD5": 10,
"FileHash-SHA1": 4,
"FileHash-SHA256": 2
},
"indicator_count": 1225,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698910e3f78fe72e45c8e068",
"name": "hostasa.org",
"description": "Correlated activity identified with hostasa.org (IP: 34.41.139.193). Indicators suggest an MSI-based Malspam vector initiated on May 4, 2025. Artifacts utilize HWRN nameservers for resilient command-and-control, bridging ASP.NET reflective loaders to the Verizon LTE/Baseband layer. Domain is currently tagged for SpyNoon and ClipBanker exfiltration",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-08T22:40:32.430000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 80,
"URL": 141,
"domain": 348,
"hostname": 234,
"email": 18,
"JA3": 1,
"FileHash-MD5": 10,
"FileHash-SHA1": 7,
"FileHash-SHA256": 6
},
"indicator_count": 845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 52,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698910df5a3e7798d4da271a",
"name": "hostasa.org",
"description": "Correlated activity identified with hostasa.org (IP: 34.41.139.193). Indicators suggest an MSI-based Malspam vector initiated on May 4, 2025. Artifacts utilize HWRN nameservers for resilient command-and-control, bridging ASP.NET reflective loaders to the Verizon LTE/Baseband layer. Domain is currently tagged for SpyNoon and ClipBanker exfiltration",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-02-08T22:40:28.891000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 278,
"hostname": 177,
"URL": 133,
"FileHash-SHA256": 22,
"CVE": 69,
"email": 14,
"JA3": 1
},
"indicator_count": 694,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698f07428f6e35876e034e41",
"name": "Chance Encounter Commuting from U of A to GoA - 02.13.2026",
"description": "My 1st Graph: Hidden Boots on my Phone ( Chance Encounter Commuting from U of A to GoA - 02.13.2026 ). \nConclusion: U of A and the Governments of Alberta, and those of Treaty 6/7/8 have been victims of crime.\nhttps://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark",
"modified": "2026-03-15T10:19:15.579000",
"created": "2026-02-13T11:13:03.870000",
"tags": [
"raspberry pi",
"hdmi",
"hdmi mode",
"uncomment",
"additional",
"usb mass",
"pi02",
"pi zero",
"zero",
"enable drm",
"program",
"license",
"free software",
"foundation",
"general public",
"gnu general",
"public license",
"the program",
"copyright",
"sections",
"june",
"general",
"april",
"vice",
"drivers",
"analog",
"digital",
"video",
"bus support",
"media",
"accelerometers",
"capacitance",
"resolver",
"android",
"flash",
"monitoring",
"codec",
"loop",
"light",
"linear",
"tools",
"class",
"speakup",
"core support",
"legacy",
"kernel",
"this software",
"including",
"but not",
"limited to",
"ltd all",
"redistributions",
"disclaimer",
"is provided",
"damage",
"info",
"params",
"gpio",
"gpio pin",
"select",
"digital volume",
"load",
"gpios",
"compute module",
"spi bus",
"front",
"clock",
"speed",
"tiny",
"kali",
"oled",
"systemd",
"digi",
"miso",
"screen",
"show",
"global property",
"bootmenu",
"label",
"booting",
"please",
"javascript",
"entity",
"file list",
"size first",
"credits text",
"readme text",
"no meaningful",
"url list",
"status https",
"domain list",
"enom",
"registrar",
"ltd dba",
"com laude",
"ip address",
"ip adresses",
"U of A",
"GoA",
"Treaty 6",
"Treaty 7",
"Treaty 8",
"AHS"
],
"references": [
"cmdline.txt",
"config.txt",
"COPYING.linux",
"config-5.15.44-Re4son-v7+",
"config-5.15.44-Re4son-v7l+",
"config-5.15.44-Re4son-v8l+",
"config-5.15.44-Re4son+",
"config-5.15.44-Re4son-v8+",
"grub_background.sh",
"LICENCE.broadcom",
"README",
"theme.txt",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e",
"https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1050",
"name": "New Service",
"display_name": "T1050 - New Service"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Agriculture",
"Finance",
"Transportation"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "UCP_GoA23",
"id": "382539",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 812,
"URL": 2492,
"hostname": 1171,
"FileHash-SHA256": 2057,
"CVE": 2,
"FileHash-MD5": 14,
"FileHash-SHA1": 16,
"email": 2,
"CIDR": 118
},
"indicator_count": 6684,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 17,
"modified_text": "36 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a5c36b78ed73550bb0bf22",
"name": "by Disable_Duck",
"description": "",
"modified": "2026-03-04T23:37:24.208000",
"created": "2026-03-02T17:05:47.288000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB",
"TLS/SSL Crawler",
"CVE-2026-24061 Attempt",
"Generic IoT Default Password Attempt",
"Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt",
"Dahua Backdoor Attempt",
"ENV Crawler",
"DCERPC Protocol",
"Carries HTTP Referer",
"GNU Inetutils Telnetd Auth Bypass",
"ICMPv4 Protocol"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)",
"Argentina",
"Switzerland"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6901363c4ce422f5caf0f72c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 996,
"domain": 987,
"hostname": 3306,
"email": 4,
"CVE": 1
},
"indicator_count": 27048,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "46 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6901363c4ce422f5caf0f72c",
"name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)",
"description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)",
"modified": "2026-02-18T05:00:41.494000",
"created": "2025-10-28T21:31:40.008000",
"tags": [
"kgs0",
"kls0",
"botname http",
"entity",
"UAlberta",
"Telus",
"Norton",
"ffss",
"Alberta",
"AlbertaNDP",
"InteriorHealth",
"RCMP",
"CrimeStoppersAB",
"EdmontonPolice",
"RCMP Kelowna",
"RCMP AB"
],
"references": [
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Netherlands",
"Panama",
"Poland",
"United Kingdom of Great Britain and Northern Ireland",
"Slovakia",
"Aruba",
"Anguilla",
"Australia",
"Costa Rica",
"Guatemala",
"Mexico",
"Trinidad and Tobago",
"Cura\u00e7ao",
"Philippines",
"Virgin Islands, U.S.",
"Ukraine",
"Barbados",
"Germany",
"Sint Maarten (Dutch part)"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Healthcare",
"Government",
"Technology",
"Energy",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3903,
"FileHash-SHA1": 4967,
"FileHash-SHA256": 12884,
"URL": 995,
"domain": 984,
"hostname": 3305,
"email": 4
},
"indicator_count": 27042,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "61 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69583b21d32b6dbec9fb13b9",
"name": "Copy of DynaLIFE Medical Labs/Alberta Precision Labs - Q(.)Me & EdgeUNO 89(.)35(.)237(.)180",
"description": "VT Graph (miniuser, 2025)\n\nAlberta Precision Laboratories (Dynalife) is a wholly-owned subsidiary of AHS and supports patients receiving care in the community and through AHS programs and facilities. \n\nVisit albertaprecisionlabs. ca to learn more.",
"modified": "2026-02-01T21:00:26.328000",
"created": "2026-01-02T21:39:45.979000",
"tags": [
"AHS",
"CovenantHealth",
"AlbertaHealthServices",
"Dynalife",
"EdgeUno",
"PrecisionLabs",
"AlbertaPrecisionLaboratories"
],
"references": [
"https://www.albertahealthservices.ca/lab/lab.aspx",
"https://www.virustotal.com/graph/embed/g7eeb81c43b7e4ea6b1ec5d4716cae14e7d2751b6451748739bb78e5714281967?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Healthcare",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 75,
"FileHash-MD5": 57,
"FileHash-SHA1": 60,
"FileHash-SHA256": 613,
"domain": 21,
"hostname": 272
},
"indicator_count": 1098,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "78 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692131f725473d708579ec3a",
"name": "Drive-by Compromise",
"description": "",
"modified": "2025-11-22T03:45:59.649000",
"created": "2025-11-22T03:45:59.649000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66f31b9a0551ca166c872292",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 439,
"domain": 2416,
"hostname": 2154,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24907,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "149 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68b78d521f024d3a98fc79c8",
"name": "VT Graph miniuser - Databreach IOCs & Links",
"description": "Related to Pulse: Food for Thought (Updated 09.02.25)\n\n*Note most links are malicious",
"modified": "2025-10-03T00:01:12.616000",
"created": "2025-09-03T00:35:30.936000",
"tags": [
"kgs0",
"kls0",
"entity",
"UAlberta",
"University of Alberta",
"Hacked",
"DataBreach"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 132,
"FileHash-SHA1": 121,
"FileHash-SHA256": 711,
"URL": 83,
"domain": 50,
"hostname": 125
},
"indicator_count": 1222,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "199 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6892e73b32af18aa302df0dc",
"name": "Part 1.5",
"description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]",
"modified": "2025-09-05T04:03:06.929000",
"created": "2025-08-06T05:25:15.369000",
"tags": [
"chromeua",
"optout",
"object",
"path",
"value",
"access type",
"setval",
"windir",
"localappdata",
"null",
"win64",
"error",
"generator",
"close",
"roboto",
"date",
"format",
"light",
"span",
"template",
"void",
"android",
"body",
"trident",
"mexico",
"sonic",
"black",
"critical",
"desktop",
"dark",
"meta",
"this",
"june",
"hybrid",
"apache",
"write",
"crypto",
"autodetect",
"face",
"courier",
"gigi",
"impact",
"shadow",
"click",
"strings",
"cray",
"smwg",
"eret",
"footer",
"infinity",
"window",
"canvas",
"legend",
"nuke",
"lion",
"4629",
"ahav",
"olsa",
"false",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"file defense",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"script",
"mitre att",
"pattern match",
"show technique",
"iframe",
"refresh",
"august",
"general",
"local",
"tools",
"demo",
"look",
"verify",
"restart",
"url http",
"small",
"pulses url",
"tellyoun",
"showing",
"entries",
"url https",
"indicator role",
"title added",
"active related",
"type indicator",
"role title",
"added active",
"related pulses",
"cc08",
"f06a6b",
"sfurl",
"filehashsha256",
"types",
"indicators show",
"search",
"pulses",
"filehashsha1",
"adversaries",
"found",
"webp image",
"ascii text",
"riff",
"size",
"encrypt",
"legacy",
"filehashmd5",
"united",
"flag",
"server",
"markmonitor",
"name server",
"llc name",
"overview dns",
"requests domain",
"country",
"win32",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"yara",
"detections",
"malware",
"copy",
"show",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"extraction",
"data upload",
"enter sc",
"type",
"extra data",
"please",
"failed",
"review",
"exclude data",
"included review",
"ic data",
"suggeste",
"stop",
"type onow",
"domain",
"passive dns",
"urls",
"files related",
"pulses none",
"related tags",
"none google",
"safe browsing",
"sc data",
"extr amanuav",
"review included",
"manualy",
"sugges excluded",
"filehash",
"md5 add",
"pulse pulses",
"url add",
"http",
"hostname",
"files domain",
"pulses otx",
"virustotal",
"hsmi192547107",
"pulses hostname",
"r dec",
"customer dec",
"iski dec",
"decision dec",
"va dec",
"bitcoin",
"bitcoin dec",
"petra",
"torstatus dec",
"paul dec",
"sodesc",
"planet dec",
"emilia",
"heroin dec",
"difference dec",
"palantir dec",
"loraxlive dec",
"chaturbate dec",
"sandra",
"free dec",
"marvel dec",
"benjis dec",
"fresh dec",
"sodesc dec",
"srdirport",
"srhostname",
"link dec",
"types of",
"italy",
"china",
"australia",
"france",
"turkey",
"discovery",
"information",
"ck ids",
"t1005",
"local system",
"t1007",
"system service",
"part",
"track",
"locate",
"political",
"civil society",
"news",
"created",
"hours ago",
"report spam",
"t1555",
"password",
"t1560",
"collected data",
"t1573",
"channel",
"t1574",
"execution flow",
"scan",
"iocs",
"t1497",
"u0lhmq",
"mtawmq",
"t1480",
"guardrails",
"t1486",
"data encrypted",
"learn more",
"unsubscribe aug",
"protocol",
"t1074",
"staged",
"t1083",
"t1102",
"web service",
"t1105",
"tool transfer",
"t1140",
"data engineer",
"candidate",
"tlsv1",
"odigicert inc",
"stcalifornia",
"lsan jose",
"oadobe systems",
"incorporated",
"cndigicert sha2",
"push",
"next",
"high",
"write c",
"ireland as16509",
"delete",
"dirty",
"tags",
"t1012",
"flow endpoint",
"security scan",
"t1106",
"copyright",
"levelblue"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 608,
"FileHash-SHA1": 433,
"FileHash-SHA256": 3663,
"URL": 17104,
"domain": 1316,
"email": 39,
"hostname": 4208,
"SSLCertFingerprint": 17
},
"indicator_count": 27388,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "227 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6892a73593f73dfc969779b0",
"name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns",
"description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]",
"modified": "2025-09-05T00:03:23.223000",
"created": "2025-08-06T00:52:05.051000",
"tags": [
"url http",
"small",
"indicator role",
"title added",
"active related",
"pulses hostname",
"tellyoun",
"n aug",
"entries",
"data upload",
"extraction",
"windows error",
"june",
"fwd urgent",
"justice czech",
"copy sha256",
"rejectedfailed",
"timestamp input",
"message status",
"actions august",
"file",
"actions june",
"actions may",
"cta4 https",
"context related",
"associated urls",
"campaigncodedsc",
"language",
"uid http",
"community",
"sha256",
"size42b type",
"submitted",
"august",
"april",
"internal error",
"previous1",
"iframe",
"community score",
"scan analysis",
"malicious",
"intelligence",
"learn",
"falcon sandbox",
"submissions",
"status",
"adversaries",
"ck id",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"windows folder",
"found",
"dlls",
"impact",
"chromeua",
"optout",
"object",
"path",
"value",
"access type",
"setval",
"windir",
"localappdata",
"null",
"win64",
"error",
"generator",
"close",
"roboto",
"date",
"format",
"light",
"span",
"template",
"void",
"android",
"body",
"trident",
"mexico",
"sonic",
"black",
"critical",
"desktop",
"dark",
"meta",
"this",
"hybrid",
"apache",
"write",
"crypto",
"autodetect",
"face",
"courier",
"gigi",
"shadow",
"click",
"strings",
"cray",
"smwg",
"eret",
"footer",
"infinity",
"window",
"canvas",
"legend",
"nuke",
"lion",
"4629",
"ahav",
"olsa",
"false"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 9062,
"domain": 707,
"hostname": 2318,
"FileHash-MD5": 86,
"FileHash-SHA1": 26,
"FileHash-SHA256": 2096,
"email": 5,
"FilePath": 2,
"URI": 1
},
"indicator_count": 14303,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "227 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68788dfd4a0943cb318c7137",
"name": "DarkWatchman Chekin Activity",
"description": "",
"modified": "2025-08-16T06:02:36.091000",
"created": "2025-07-17T05:45:33.250000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7596,
"FileHash-SHA1": 3987,
"FileHash-SHA256": 8622,
"URL": 1922,
"domain": 2530,
"hostname": 2524,
"email": 37,
"CVE": 6,
"SSLCertFingerprint": 6
},
"indicator_count": 27230,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "247 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "685094452f1739c5a766cce2",
"name": "Ogrodnictwo - Baza Firm 2024.xls",
"description": "https://www.virustotal.com/gui/file/5efeb26d7ace64c8011cf6fc7ab00343c27de26dca1402aa6d6a4492a0afa6a1/behavior",
"modified": "2025-07-16T20:00:18.627000",
"created": "2025-06-16T22:01:41.450000",
"tags": [
"externalnet",
"homenet",
"reply",
"ssdeep",
"block",
"click",
"body",
"exchange online",
"ipv6",
"destinationport",
"microsoft",
"common",
"office online",
"excel",
"nextron",
"connection",
"ip id",
"vhash"
],
"references": [
"Office Application Initiated Network Connection To Non-Local IP"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 1,
"FileHash-SHA256": 103,
"CIDR": 36,
"CVE": 1,
"URL": 156,
"domain": 19,
"hostname": 60
},
"indicator_count": 378,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "278 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67a7c788f6d595369932f8be",
"name": "Thor Lite Windows 11 Enterprise - Scan of impacted AHS Workstation/Sample - 01.31.25 - Not Enriched",
"description": "Completed a Thor-Lite 64 Scan v. 10.7.18 on AHS Workstation/Sample Device\nScan ID: S-5thsJ4jlWSA\nSignature Database: 2025/01/31-192845\nOperators --intense --allfiles --vtkey *** --vtmode full\nModules: Filescan 2, LogScan 300, ProcessIntegrity 62 -> Alerts 0, Warnings 18, Notice 350, Info 1423, Errors 0\nUpdated: 05.12.25",
"modified": "2025-06-11T18:01:20.529000",
"created": "2025-02-08T21:07:19.851000",
"tags": [
"scanid",
"sun feb",
"exists1",
"size1",
"company1",
"mz created1",
"desc1",
"imphash1",
"originalname1",
"internalname1",
"score",
"service",
"february",
"pipes",
"rootkit",
"timestomp",
"doublepulsar",
"logger",
"teamviewer",
"virustotal",
"model",
"arch",
"hosts",
"valhalla"
],
"references": [
"Scan ID: S-5thsJ4jlWSA",
"https://www.virustotal.com/gui/collection/2e519dcc314b2c036e7f6b5e7e691bc359a1300fa0521022aef0ce66ce48f1c7",
"https://www.virustotal.com/gui/collection/2e519dcc314b2c036e7f6b5e7e691bc359a1300fa0521022aef0ce66ce48f1c7/iocs",
"https://www.virustotal.com/graph/embed/gd67698ddea1e47ca9b50e0e0bf5b34ffbc6e4305328d4dfc997a86046da0cda6?theme=dark",
"https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings",
"https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264",
"https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79",
"https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data",
"https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Healthcare",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1135,
"FileHash-SHA1": 627,
"FileHash-SHA256": 593,
"URL": 39,
"domain": 5,
"email": 1,
"hostname": 11,
"CVE": 1,
"SSLCertFingerprint": 5
},
"indicator_count": 2417,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "313 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67b109cbfbcc6f92c399b327",
"name": "UAlberta Breach Data - Food for thought - thoughts & input on how to 'bring some attention to this' (not enriched)",
"description": "Just thought I'd throw thisntogether and 'see what ya'll make of it' (documents a VT graph produced and slightly modified) that pulls a lot of things together. Highlights both 'some problems' - U of A / Gov. of AB (who are also some 'solutions'). \nIdeas on how to grab their attention and maybe bring some 'urgency' to this issue? I have a few solutions and ideas for everyone - problem: I require some folks to 'do their jobs' (there is not 10 of me). Thoughts on how to encourage them to act on these problems. Present status: Connected directly to them on other devices. Within literal 5 min walking range.",
"modified": "2025-05-27T07:01:17.646000",
"created": "2025-02-15T21:40:27.895000",
"tags": [
"kgs0",
"kls0"
],
"references": [
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark",
"",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 215,
"FileHash-SHA1": 193,
"FileHash-SHA256": 1302,
"URL": 166,
"domain": 100,
"hostname": 234
},
"indicator_count": 2210,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "328 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "678f0dbdbc59dd2ea5656dcf",
"name": "Order ",
"description": "",
"modified": "2025-01-21T03:00:13.071000",
"created": "2025-01-21T03:00:13.071000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66f31b9a0551ca166c872292",
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "aclause21",
"id": "303913",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 439,
"domain": 2416,
"hostname": 2154,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24907,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 31,
"modified_text": "454 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66804428b487338dc16f70a7",
"name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer",
"description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer",
"modified": "2024-11-05T10:00:12.606000",
"created": "2024-06-29T17:28:08.283000",
"tags": [
"unknown",
"united",
"virgin islands",
"as51852",
"as33387",
"as19905",
"as44273 host",
"cname",
"nxdomain",
"passive dns",
"url http",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"urls",
"files ip",
"address domain",
"ip related",
"pulses otx",
"pulses",
"related tags",
"indicator facts",
"dga domain",
"http",
"unique",
"scan endpoints",
"all scoreblue",
"pulse pulses",
"ip address",
"related nids",
"log id",
"gmtn",
"go daddy",
"authority",
"tls web",
"arizona",
"scottsdale",
"ca issuers",
"b59bn timestamp",
"ff2c217402202b",
"code",
"false",
"url https",
"domain",
"trojan",
"hostname",
"files",
"body",
"date",
"path max",
"age86400 set",
"cookie",
"script urls",
"type",
"mtb may",
"script script",
"trojanspy",
"striven",
"miles2",
"rexxfield",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"date sat",
"gmt server",
"sakula malware",
"historical ssl",
"realteck audio",
"lemon duck",
"iocs",
"tsara brashears",
"loki password",
"stealer",
"windows",
"auction",
"metro",
"core",
"colibri loader",
"hacktool",
"status",
"for privacy",
"creation date",
"record value",
"name servers",
"showing",
"next",
"mtb mar",
"ipv4",
"ransom",
"west domains",
"redacted for",
"gmt location",
"gmt max",
"cowboy",
"encrypt",
"as60558 phoenix",
"susp",
"win32",
"methodpost",
"canada unknown",
"as43350 nforce",
"united kingdom",
"as47846",
"germany unknown",
"briansabey",
"body doubles",
"orbiters",
"malvertising",
"cane",
"get na",
"show",
"as16509",
"delete c",
"sinkhole cookie",
"value snkz",
"cape",
"possible",
"copy",
"nivdort",
"write",
"bayrob",
"malware",
"exploit",
"confirm https",
"impact",
"misc http",
"cvss v2",
"authentication",
"n cvss",
"v3 severity",
"high attack",
"emails",
"cnc",
"alphacrypt cnc",
"beacon",
"as15169 google",
"limited",
"as8560",
"elite",
"AS33387 nocix llc",
"pegasus",
"mercenary",
"cellerebrand",
"cellebrite",
"apple",
"dark",
"apple ios",
"ios",
"apple iphone",
"apple itunes",
"itunes",
"pegasystem",
"data brokers",
"hackers",
"javascript",
"please",
"intel",
"filehash",
"av detections",
"xorddos"
],
"references": [
"http://www.northpoleroute.com/78985064&type=0&resid=5312625",
"espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0",
"Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc",
"Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f",
"Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1",
"IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin",
"IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"Alerts: cape_detected_threat cape_extracted_content",
"https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49",
"Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee",
"Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534",
"TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6",
"PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251",
"PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a",
"PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4",
"https://otx.alienvault.com/indicator/ip/162.222.213.199",
"TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad",
"Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb",
"PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7",
"Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943",
"Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f",
"Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893",
"Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e",
"IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx",
"IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin",
"IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"https://otx.alienvault.com/indicator/ip/185.230.63.186",
"CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148",
"http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz",
"smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]",
"Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://otx.alienvault.com/indicator/ip/63.141.242.45",
"Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo",
"Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,",
"Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9",
"Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559",
"Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "Ransom:Win32/Haperlock.A",
"display_name": "Ransom:Win32/Haperlock.A",
"target": "/malware/Ransom:Win32/Haperlock.A"
},
{
"id": "Backdoor:Win32/Fynloski.A",
"display_name": "Backdoor:Win32/Fynloski.A",
"target": "/malware/Backdoor:Win32/Fynloski.A"
},
{
"id": "TrojanClicker:Win32/Ellell.A",
"display_name": "TrojanClicker:Win32/Ellell.A",
"target": "/malware/TrojanClicker:Win32/Ellell.A"
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Win.Virus.TeslaCrypt3-2/Custom",
"display_name": "Win.Virus.TeslaCrypt3-2/Custom",
"target": null
},
{
"id": "PWS:Win32/Ymacco.AA50",
"display_name": "PWS:Win32/Ymacco.AA50",
"target": "/malware/PWS:Win32/Ymacco.AA50"
},
{
"id": "Ransom:Win32/Tescrypt",
"display_name": "Ransom:Win32/Tescrypt",
"target": "/malware/Ransom:Win32/Tescrypt"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Trojan:Linux/Xorddos",
"display_name": "Trojan:Linux/Xorddos",
"target": "/malware/Trojan:Linux/Xorddos"
},
{
"id": "Sakula RAT",
"display_name": "Sakula RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 106,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3885,
"hostname": 1651,
"URL": 5981,
"FileHash-MD5": 486,
"FileHash-SHA256": 3859,
"SSLCertFingerprint": 2,
"FileHash-SHA1": 487,
"CVE": 7,
"email": 8
},
"indicator_count": 16366,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "531 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f3e394bcf868816a29c2dc",
"name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton",
"description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.",
"modified": "2024-11-02T15:05:54.240000",
"created": "2024-03-15T05:58:44.839000",
"tags": [
"ISP",
"Google",
"Telus",
"Norton",
"Pixel"
],
"references": [
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark",
"https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark",
"https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark",
"https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark",
"https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"",
"https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details",
"https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network",
"http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Telecommunications",
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1231,
"FileHash-SHA1": 1215,
"FileHash-SHA256": 99653,
"URL": 158638,
"domain": 49468,
"hostname": 77233,
"email": 6,
"CIDR": 5450,
"CVE": 55
},
"indicator_count": 392949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "534 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66f31b9a0551ca166c872292",
"name": "Drive-by Compromise - Cyber warfare 4K + Unsuspecting potential victims",
"description": "Network outage. Severe attack appears to disseminate from Denver, Co Charter Communications /Spectrum Denver - network and devices hacked. Successful at bringing down the network of 4000 + Whitesky clients, remotely sourcing targeted devices, leaking confidential information, phishing, deletng countless files. Most people in homes and building managers are referring to the multi day outage as outage or glitch. Located targeted devices, files encrypted, forced content, dumping & other malicious activity. \n*Cyber Folks .pl\n*https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n|| DDoS:Linux/Gafgyt.YA!MTB\nCVE-2017-17215\nVirus:Win32/Sivis.A\nBackdoor:Win32/Tofsee\nCVE-2014-8361\nCVE-2023-27350\nM1\nMirai\nNIDS\nOneLouder\nRansom\nRansom:Win32/Haperlock\nTEL:CreateScheduledTask ,\nTofsee , Trojan:Win32/Neurevt , Zombie.A ,TrojanSpy ,\nUnix.Trojan.Mirai ,Oxypumper , Qshell , Installcore ,Sarwent",
"modified": "2024-10-24T19:00:50.385000",
"created": "2024-09-24T20:05:46.785000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 439,
"domain": 2416,
"hostname": 2154,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24907,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "543 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66e47020bdbbc384d102d169",
"name": "AWS Botnet *2nd L\u2070\u2070K \u00bb Quantum Fiber | Brute Forcer",
"description": "I researched link again. Stealthy hackers surrounding a targets whereabouts in Denver Metro/Denver Proper (Co) and surrounding areas. Unsafe targeting activity escalates.\n\n*Tip { PDF:UrlMal-inf\\ [Trj] - https://www.quantumfiber.com/moving.html?utm_source=Digital&utm_medium=DV360_YouTube&utm_campaign=QuantumFiber_Residential_Prospecting&utm_content=Movers-RES-QF-Movers-ACH-OLV30-50-YouTube-NA&gclid=CjwKCAjwooq3BhB3Eiw } Malware Families:\nWin.Dropper.LokiBot-9975730-0\n#LowFiEnableDTContinueAfterUnpacking\n#LowFiMalf_gen\nALF:PUA:Block:IObit\nALF:Program:Win32/Webcompanion\nALF:Ransom:Win32/Babax\nALF:Trojan:Win32/FormBook\nAWS\nPDF:UrlMal-inf\\ [Trj]\nTrojan:Win32/Qbot\nTrojanDownloader:Win32/Upatre\nUnix\nUnix.Malware.Generic-9875933-0\nVirTool:Win32/Injector\nVirTool:Win32/Obfuscator\nWin.Dropper.LokiBot-9975730-0\nWin.Keylogger.Banbra-9936388-0\nWorm:Win32/Mofksys",
"modified": "2024-10-13T13:01:27.179000",
"created": "2024-09-13T17:02:24.806000",
"tags": [
"namecheap",
"server",
"registrar abuse",
"code",
"dnssec",
"email",
"contact phone",
"registrar iana",
"registrar url",
"registrar whois",
"date",
"vhash",
"authentihash",
"imphash",
"ssdeep",
"file type",
"win32 exe",
"magic pe32",
"ms windows",
"trid upx",
"win16 ne",
"generic",
"packer",
"info sections",
"name virtual",
"address virtual",
"size raw",
"size entropy",
"md5 chi2",
"upx0",
"1 upx1",
"upx2",
"sysinternals",
"zenbox",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"dynamic",
"utc na",
"utc facebook",
"html info",
"meta tags",
"commerce cloud",
"trackers google",
"tag manager",
"gtmkj5bfwx",
"utc gtmp4hkt96",
"utc gtm5z5w687v",
"sample",
"t1497",
"sandbox evasion",
"may sleep",
"downloads",
"http performs",
"mitre att",
"evasion ta0005",
"upx software",
"t1036 creates",
"get http",
"post http",
"number",
"ja3s",
"algorithm",
"subject",
"data",
"server ca",
"odigicert inc",
"cus lsan",
"calls",
"text",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"url https",
"http",
"ip address",
"related nids",
"files location",
"as8068",
"united",
"unknown",
"ref b",
"wed may",
"entries",
"mtb dec",
"body",
"please",
"twitter",
"malware",
"trojan",
"trojan features",
"related pulses",
"file samples",
"files matching",
"show",
"search",
"date hash",
"next",
"showing",
"worm",
"win32",
"alf features",
"aaaa",
"cname",
"united kingdom",
"creation date",
"certificate",
"tlsv1",
"oglobalsign",
"stzhejiang",
"lhangzhou",
"oalibaba",
"china",
"encrypt",
"copy",
"write",
"august",
"local",
"xport",
"regsetvalueexa",
"regdword",
"regbinary",
"medium",
"high",
"regsetvalueexw",
"regsz",
"langchinese",
"delphi",
"persistence",
"execution",
"read c",
"create c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"write c",
"delete c",
"mozilla",
"as62597 nsone",
"domain",
"as20940",
"as8075",
"virtool",
"whitelisted ip",
"location united",
"asn as8068",
"registrar",
"markmonitor",
"tags",
"related tags",
"threat roundup",
"october",
"historical ssl",
"referrer",
"round",
"december",
"november",
"guloader",
"files",
"detections file",
"name file",
"file size",
"name",
"html",
"cab null",
"ubuntu",
"linux x8664",
"contentlength",
"gobrut",
"malware c",
"c request",
"config",
"meta",
"photolan",
"moved",
"a domains",
"as47748 daticum",
"meta http",
"content",
"gmt server",
"ipv4",
"pragma",
"apache",
"sales",
"expiration date",
"name servers",
"asnone bulgaria",
"ns nxdomain",
"nxdomain",
"soa nxdomain",
"cape",
"gobrut malware",
"suricata",
"et malware",
"bruter cnc",
"checkin",
"activity",
"malware config",
"yara detections",
"contacted",
"a li",
"li ul",
"div div",
"set cookie",
"as29873",
"link",
"hong kong",
"as45102 alibaba",
"div li",
"gmt max",
"age2592000 path",
"log id",
"gmtn",
"tls web",
"ca issuers",
"timestamp",
"b715",
"b59bn timestamp",
"false",
"as2914 ntt",
"record value",
"data redacted",
"as4230 claro",
"invalid url",
"research group",
"as13768 aptum",
"canada unknown",
"canada",
"hostpapa",
"hosting",
"click",
"rdds service",
"record",
"registrant",
"admin",
"tech contact",
"script domains",
"as3257 gtt",
"asnone canada",
"access denied",
"servers",
"emails",
"as397241",
"as31898 oracle",
"as397240",
"overview ip",
"flag united",
"hostname",
"files domain",
"as15169 google",
"as396982 google",
"as16625 akamai",
"as35994 akamai",
"france",
"discovery",
"t1010",
"t1012",
"t1027",
"information",
"t1055",
"injection",
"t1057",
"t1059",
"ssh attacker",
"mitm",
"aitm",
"tracker",
"botnet",
"binary",
"ghostscript",
"brendan coates",
"daley",
"trent wiltshire",
"aws botnet",
"filehashsha256",
"filehashsha1",
"filehashmd5",
"https",
"salitiy",
"unix malware",
"created",
"url http",
"unix",
"aws",
"role title",
"added active",
"report spam",
"quantumfiber",
"denver co",
"critical",
"default",
"traditional",
"compiler",
"intel",
"ms windows",
"ssdeep",
"rich pe",
"imphash",
"utc gtm5z5w687v",
"utc gtmp4hkt96",
"pecompact",
"packer",
"ids",
"commerce cloud",
"meta tags",
"gmt etag",
"accept encoding",
"accept",
"status",
"west domains",
"path",
"author avatar",
"active file",
"denver",
"vt graph",
"currently",
"im unaware",
"pnpd5d",
"susp",
"filehash",
"av detections",
"pecompact",
"february",
"asnone germany",
"as21499 host",
"singapore",
"germany",
"object",
"alerts",
"icmp traffic",
"createdate",
"microsoft color",
"msft",
"format",
"as44273 host",
"content type",
"kodak easyshare",
"easyshare",
"eastman kodak",
"kodak",
"kukacka",
"virus",
"rsdsr7siwwd d",
"install",
"service",
"explorer",
"windows",
"name type",
"md5 process",
"sqlite",
"sqlite version",
"active",
"pre crime",
"cyber attack",
"hackers",
"quantum fiber",
"quantumfiber.com",
"target tsara brashears",
"tech id",
"hallrender",
"brian sabey",
"hijack",
"spotify artists",
"idlinea8 sep",
"xo544",
"xa10629",
"sitegg",
"fcolorffffff",
"net1",
"inhibit system",
"oracle",
"level 3"
],
"references": [
"QuantumFiber.com a 2nd look",
"Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]",
"13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion",
"IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.",
"IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.",
"Win.Dropper.LokiBot-9975730-0",
"Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9",
"IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS",
"Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread",
"Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a",
"Yara Detections: Delphi",
"IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity",
"IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)",
"Query to a *.top domain - Likely Hostile Query for .cc TLD",
"Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad",
"Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction",
"Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config",
"Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat",
"Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Unix.Malware.Generic:",
"Unix.Malware.Generic:",
"networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt",
"wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com",
"Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys",
"Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0",
"Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0",
"Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win.Keylogger.Banbra-9936388-0",
"display_name": "Win.Keylogger.Banbra-9936388-0",
"target": null
},
{
"id": "#LowFiMalf_gen",
"display_name": "#LowFiMalf_gen",
"target": null
},
{
"id": "Trojan:Win32/Qbot",
"display_name": "Trojan:Win32/Qbot",
"target": "/malware/Trojan:Win32/Qbot"
},
{
"id": "ALF:Ransom:Win32/Babax",
"display_name": "ALF:Ransom:Win32/Babax",
"target": null
},
{
"id": "Worm:Win32/Mofksys",
"display_name": "Worm:Win32/Mofksys",
"target": "/malware/Worm:Win32/Mofksys"
},
{
"id": "ALF:Program:Win32/Webcompanion",
"display_name": "ALF:Program:Win32/Webcompanion",
"target": null
},
{
"id": "ALF:PUA:Block:IObit",
"display_name": "ALF:PUA:Block:IObit",
"target": null
},
{
"id": "Win.Dropper.LokiBot-9975730-0",
"display_name": "Win.Dropper.LokiBot-9975730-0",
"target": null
},
{
"id": "Win.Dropper.LokiBot-9975730-0",
"display_name": "Win.Dropper.LokiBot-9975730-0",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator",
"display_name": "VirTool:Win32/Obfuscator",
"target": "/malware/VirTool:Win32/Obfuscator"
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Unix.Malware.Generic-9875933-0",
"display_name": "Unix.Malware.Generic-9875933-0",
"target": null
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Unix",
"display_name": "Unix",
"target": null
},
{
"id": "AWS",
"display_name": "AWS",
"target": null
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "PDF:UrlMal-inf\\ [Trj]",
"display_name": "PDF:UrlMal-inf\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1490",
"name": "Inhibit System Recovery",
"display_name": "T1490 - Inhibit System Recovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1510",
"name": "Clipboard Modification",
"display_name": "T1510 - Clipboard Modification"
},
{
"id": "T1414",
"name": "Capture Clipboard Data",
"display_name": "T1414 - Capture Clipboard Data"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1644,
"FileHash-SHA1": 1614,
"FileHash-SHA256": 2742,
"URL": 2708,
"domain": 2150,
"hostname": 2508,
"email": 21,
"SSLCertFingerprint": 33,
"CVE": 2
},
"indicator_count": 13422,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "554 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66ba036c462091e25e94de49",
"name": "Lazarus Group: Crime_WannaCry | Crime Mirai_Botnet_Malware ",
"description": "",
"modified": "2024-10-12T00:01:26.015000",
"created": "2024-08-12T12:43:24.286000",
"tags": [
"network",
"orgdnsref",
"nethandle",
"net174",
"net1740000",
"mcics",
"swipp",
"swipper",
"jody alaska",
"jody huffines",
"verizon",
"eva120",
"block id",
"wirelessdatanetwork",
"swipp9-arin",
"united",
"et exploit",
"smbds ipc",
"show",
"search",
"default",
"asnone",
"nids",
"generic",
"query",
"service",
"wannacry",
"ransom",
"malware",
"copy",
"dock",
"write",
"eternalblue",
"recon",
"suspicious",
"realtek sdk",
"miniigd upnp",
"soap command",
"exploit",
"msie",
"windows nt",
"high",
"binbusybox",
"gafgyt",
"execution",
"mirai",
"newremotehost",
"mitm",
"port",
"destination",
"newexternalport",
"newprotocol",
"newinternalport",
"rf cum",
"newenabled",
"addpo",
"addportmapping",
"whois lookups",
"city",
"orgdnshandle",
"stateprov",
"loudoun county",
"postalcode",
"text",
"javascript",
"b file",
"files",
"file type",
"json",
"graph",
"t1064 executes",
"modify system",
"process t1543",
"systemd service",
"posts",
"mitre att",
"ta0002 command",
"t1059",
"create",
"ta0004 create",
"ip traffic",
"hashes",
"file system",
"libmultipath",
"devftwdt101",
"devsda1 devsda2",
"files deleted",
"e procselffd9",
"h devsda2",
"created binsh",
"shell commands",
"binsh binsh",
"binsh c",
"i lo",
"p m0755",
"varrunsshd",
"processes tree",
"referrer",
"pe resource",
"cry kill",
"formbook",
"ransomworm",
"wannacry kill",
"switch dns",
"password bypass",
"account stealer",
"hiddentear",
"installer",
"skynet",
"get http",
"memory pattern",
"http requests",
"request",
"host",
"cachecontrol",
"response",
"contentlength",
"httponly",
"samesitelax",
"mofresourcename",
"settingswpad",
"registry keys",
"hdaudiomofname",
"acpimofresource",
"mofresource",
"registry",
"kernel context",
"runtime modules",
"modules",
"urls",
"cloudflare",
"domains",
"ip detections",
"country",
"win32 exe",
"mb pe",
"mb graph",
"summary",
"pe32 executable",
"ms windows",
"intel",
"ms visual",
"win16 ne",
"win32 dynamic",
"link library",
"vs98",
"info compiler",
"products id",
"sp6 build",
"header intel",
"name md5",
"type",
"language",
"contained",
"r english",
"yara rule",
"et trojan",
"domain http",
"cape",
"yara detections",
"alerts",
"logic",
"status",
"passive dns",
"creation date",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse submit",
"url analysis",
"date",
"next",
"as6167 verizon",
"as22394 verizon",
"showing",
"entries",
"aaaa",
"cname",
"asnone united",
"whitelisted",
"as20446",
"as8075",
"ipv4",
"unknown",
"emails",
"expiration date",
"name servers",
"aaaa nxdomain",
"ireland unknown",
"nxdomain",
"soa nxdomain",
"ns nxdomain",
"a nxdomain",
"as8068",
"united kingdom",
"domain",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"exploit none",
"rce",
"ate hash",
"spyware",
"adversary in the middle",
"smugglers gambit",
"hitmen",
"hallrender",
"sreredrum",
"pegasus related",
"brute force",
"target tsara brashears",
"brian sabey"
],
"references": [
"Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
"Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
"Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
"Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB",
"IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"Yara Detections: Mirai_Botnet_Malware",
"High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
"Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
"Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
"ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1",
"Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
"Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
"Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
"Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
"https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
"Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
"Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,",
"Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0",
"Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
"IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
"IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
"IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
"Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "Unix.Trojan.Mirai-7100807-0",
"display_name": "Unix.Trojan.Mirai-7100807-0",
"target": null
},
{
"id": "ELF:Mirai-AHC\\ [Trj]",
"display_name": "ELF:Mirai-AHC\\ [Trj]",
"target": null
},
{
"id": "Sf:WNCryLdr-A\\ [Trj]",
"display_name": "Sf:WNCryLdr-A\\ [Trj]",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Win.Ransomware.WannaCry-6313787-0",
"display_name": "Win.Ransomware.WannaCry-6313787-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
}
],
"industries": [
"Government",
"Healthcare",
"Civilian Society"
],
"TLP": "green",
"cloned_from": "66ba01cb6ef731c30679908b",
"export_count": 50,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2786,
"CIDR": 2,
"URL": 457,
"email": 12,
"hostname": 535,
"FileHash-MD5": 806,
"FileHash-SHA1": 791,
"BitcoinAddress": 3,
"domain": 367,
"CVE": 4
},
"indicator_count": 5763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "555 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66ba01cb6ef731c30679908b",
"name": "BusyBox |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney",
"description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.",
"modified": "2024-10-12T00:01:26.015000",
"created": "2024-08-12T12:36:27.020000",
"tags": [
"network",
"orgdnsref",
"nethandle",
"net174",
"net1740000",
"mcics",
"swipp",
"swipper",
"jody alaska",
"jody huffines",
"verizon",
"eva120",
"block id",
"wirelessdatanetwork",
"swipp9-arin",
"united",
"et exploit",
"smbds ipc",
"show",
"search",
"default",
"asnone",
"nids",
"generic",
"query",
"service",
"wannacry",
"ransom",
"malware",
"copy",
"dock",
"write",
"eternalblue",
"recon",
"suspicious",
"realtek sdk",
"miniigd upnp",
"soap command",
"exploit",
"msie",
"windows nt",
"high",
"binbusybox",
"gafgyt",
"execution",
"mirai",
"newremotehost",
"mitm",
"port",
"destination",
"newexternalport",
"newprotocol",
"newinternalport",
"rf cum",
"newenabled",
"addpo",
"addportmapping",
"whois lookups",
"city",
"orgdnshandle",
"stateprov",
"loudoun county",
"postalcode",
"text",
"javascript",
"b file",
"files",
"file type",
"json",
"graph",
"t1064 executes",
"modify system",
"process t1543",
"systemd service",
"posts",
"mitre att",
"ta0002 command",
"t1059",
"create",
"ta0004 create",
"ip traffic",
"hashes",
"file system",
"libmultipath",
"devftwdt101",
"devsda1 devsda2",
"files deleted",
"e procselffd9",
"h devsda2",
"created binsh",
"shell commands",
"binsh binsh",
"binsh c",
"i lo",
"p m0755",
"varrunsshd",
"processes tree",
"referrer",
"pe resource",
"cry kill",
"formbook",
"ransomworm",
"wannacry kill",
"switch dns",
"password bypass",
"account stealer",
"hiddentear",
"installer",
"skynet",
"get http",
"memory pattern",
"http requests",
"request",
"host",
"cachecontrol",
"response",
"contentlength",
"httponly",
"samesitelax",
"mofresourcename",
"settingswpad",
"registry keys",
"hdaudiomofname",
"acpimofresource",
"mofresource",
"registry",
"kernel context",
"runtime modules",
"modules",
"urls",
"cloudflare",
"domains",
"ip detections",
"country",
"win32 exe",
"mb pe",
"mb graph",
"summary",
"pe32 executable",
"ms windows",
"intel",
"ms visual",
"win16 ne",
"win32 dynamic",
"link library",
"vs98",
"info compiler",
"products id",
"sp6 build",
"header intel",
"name md5",
"type",
"language",
"contained",
"r english",
"yara rule",
"et trojan",
"domain http",
"cape",
"yara detections",
"alerts",
"logic",
"status",
"passive dns",
"creation date",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse submit",
"url analysis",
"date",
"next",
"as6167 verizon",
"as22394 verizon",
"showing",
"entries",
"aaaa",
"cname",
"asnone united",
"whitelisted",
"as20446",
"as8075",
"ipv4",
"unknown",
"emails",
"expiration date",
"name servers",
"aaaa nxdomain",
"ireland unknown",
"nxdomain",
"soa nxdomain",
"ns nxdomain",
"a nxdomain",
"as8068",
"united kingdom",
"domain",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"exploit none",
"rce",
"ate hash",
"spyware",
"adversary in the middle",
"smugglers gambit",
"hitmen",
"hallrender",
"sreredrum",
"pegasus related",
"brute force",
"target tsara brashears",
"brian sabey"
],
"references": [
"Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
"Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
"Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
"Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB",
"IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"Yara Detections: Mirai_Botnet_Malware",
"High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
"Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
"Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
"ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1",
"Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
"Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
"Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
"Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
"https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
"Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
"Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,",
"Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0",
"Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
"IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
"IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
"IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
"Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "Unix.Trojan.Mirai-7100807-0",
"display_name": "Unix.Trojan.Mirai-7100807-0",
"target": null
},
{
"id": "ELF:Mirai-AHC\\ [Trj]",
"display_name": "ELF:Mirai-AHC\\ [Trj]",
"target": null
},
{
"id": "Sf:WNCryLdr-A\\ [Trj]",
"display_name": "Sf:WNCryLdr-A\\ [Trj]",
"target": null
},
{
"id": "Ransom:Win32/WannaCrypt.H",
"display_name": "Ransom:Win32/WannaCrypt.H",
"target": "/malware/Ransom:Win32/WannaCrypt.H"
},
{
"id": "Win.Ransomware.WannaCry-6313787-0",
"display_name": "Win.Ransomware.WannaCry-6313787-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
}
],
"industries": [
"Government",
"Healthcare",
"Civilian Society"
],
"TLP": "green",
"cloned_from": null,
"export_count": 41,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2826,
"CIDR": 2,
"URL": 549,
"email": 12,
"hostname": 587,
"FileHash-MD5": 806,
"FileHash-SHA1": 791,
"BitcoinAddress": 3,
"domain": 388,
"CVE": 4
},
"indicator_count": 5968,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "555 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b3fb6752ac464268b971b1",
"name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage",
"description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7",
"modified": "2024-09-05T07:02:20.491000",
"created": "2024-01-26T18:35:19.690000",
"tags": [
"no expiration",
"filehashsha1",
"filehashmd5",
"filehashsha256",
"url http",
"ipv4",
"iocs",
"url https",
"next",
"scan endpoints",
"expiration",
"domain",
"pdf report",
"pcap",
"all scoreblue",
"hostname",
"tagwearable",
"email",
"united",
"as46562",
"unknown",
"as213120",
"search",
"creation date",
"dnssec",
"showing",
"entries",
"as32400 hostway",
"encrypt",
"status",
"date",
"passive dns",
"urls",
"record value",
"apache",
"pragma",
"body",
"as9009 m247",
"pulse pulses",
"files",
"hosting",
"location new",
"as58955 bangmod",
"pulse submit",
"url analysis",
"reverse dns",
"all search",
"otx scoreblue",
"http",
"ip address",
"related nids",
"filehash",
"sha256",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"june",
"copy",
"aaaa",
"a domains",
"address",
"div div",
"span span",
"span h2",
"a li",
"lucky guy",
"span",
"customer",
"location united",
"cookie",
"as54113",
"xamzexpires300",
"hstr",
"github pages",
"request id",
"accept",
"win64",
"found",
"show",
"win32",
"related pulses",
"sea x",
"cache",
"dynamicloader",
"targetname",
"pe32",
"intel",
"ms windows",
"yara rule",
"high",
"write",
"bruteforce",
"location china",
"asn as45090",
"cobalt strike",
"internet",
"iana",
"whois lookups",
"city",
"los angeles",
"orgabusephone",
"orgid",
"iana ref",
"net192",
"net1920000",
"ssl cert",
"ssl certificate",
"tlsv1 apr",
"cobaltstrike",
"default",
"read",
"trojan",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"malware",
"no entries",
"entries found",
"delete",
"found pe",
"stus",
"cnus",
"tlsv1",
"as20940",
"as16625 akamai",
"asnone united",
"emails",
"microsoft way",
"as8075",
"united kingdom",
"aaaa nxdomain",
"a nxdomain",
"nxdomain",
"as8068",
"as3356 level",
"as15133 verizon",
"as22822",
"as20446",
"cname",
"honeypot",
"read c",
"regsetvalueexa",
"regdword",
"as29789",
"moved",
"morphex",
"cryp",
"susp"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Brazil"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2401,
"FileHash-MD5": 2428,
"FileHash-SHA1": 2136,
"FileHash-SHA256": 5377,
"domain": 3794,
"hostname": 2763,
"CVE": 5,
"email": 19,
"SSLCertFingerprint": 4
},
"indicator_count": 18927,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "592 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6681f2c0105aaf9e1db540dc",
"name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Jeffery Scott Reimer Assault ",
"description": "",
"modified": "2024-07-29T16:00:46.118000",
"created": "2024-07-01T00:05:20.043000",
"tags": [
"unknown",
"united",
"virgin islands",
"as51852",
"as33387",
"as19905",
"as44273 host",
"cname",
"nxdomain",
"passive dns",
"url http",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"urls",
"files ip",
"address domain",
"ip related",
"pulses otx",
"pulses",
"related tags",
"indicator facts",
"dga domain",
"http",
"unique",
"scan endpoints",
"all scoreblue",
"pulse pulses",
"ip address",
"related nids",
"log id",
"gmtn",
"go daddy",
"authority",
"tls web",
"arizona",
"scottsdale",
"ca issuers",
"b59bn timestamp",
"ff2c217402202b",
"code",
"false",
"url https",
"domain",
"trojan",
"hostname",
"files",
"body",
"date",
"path max",
"age86400 set",
"cookie",
"script urls",
"type",
"mtb may",
"script script",
"trojanspy",
"striven",
"miles2",
"rexxfield",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"date sat",
"gmt server",
"sakula malware",
"historical ssl",
"realteck audio",
"lemon duck",
"iocs",
"tsara brashears",
"loki password",
"stealer",
"windows",
"auction",
"metro",
"core",
"colibri loader",
"hacktool",
"status",
"for privacy",
"creation date",
"record value",
"name servers",
"showing",
"next",
"mtb mar",
"ipv4",
"ransom",
"west domains",
"redacted for",
"gmt location",
"gmt max",
"cowboy",
"encrypt",
"as60558 phoenix",
"susp",
"win32",
"methodpost",
"canada unknown",
"as43350 nforce",
"united kingdom",
"as47846",
"germany unknown",
"briansabey",
"body doubles",
"orbiters",
"malvertising",
"cane",
"get na",
"show",
"as16509",
"delete c",
"sinkhole cookie",
"value snkz",
"cape",
"possible",
"copy",
"nivdort",
"write",
"bayrob",
"malware",
"exploit",
"confirm https",
"impact",
"misc http",
"cvss v2",
"authentication",
"n cvss",
"v3 severity",
"high attack",
"emails",
"cnc",
"alphacrypt cnc",
"beacon",
"as15169 google",
"limited",
"as8560",
"elite",
"AS33387 nocix llc",
"pegasus",
"mercenary",
"cellerebrand",
"cellebrite",
"apple",
"dark",
"apple ios",
"ios",
"apple iphone",
"apple itunes",
"itunes",
"pegasystem",
"data brokers",
"hackers",
"javascript",
"please",
"intel",
"filehash",
"av detections",
"xorddos"
],
"references": [
"http://www.northpoleroute.com/78985064&type=0&resid=5312625",
"espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0",
"Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc",
"Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f",
"Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1",
"IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin",
"IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"Alerts: cape_detected_threat cape_extracted_content",
"https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49",
"Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee",
"Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534",
"TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6",
"PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251",
"PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a",
"PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4",
"https://otx.alienvault.com/indicator/ip/162.222.213.199",
"TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad",
"Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb",
"PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7",
"Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943",
"Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f",
"Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893",
"Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e",
"IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx",
"IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin",
"IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"https://otx.alienvault.com/indicator/ip/185.230.63.186",
"CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148",
"http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz",
"smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]",
"Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://otx.alienvault.com/indicator/ip/63.141.242.45",
"Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo",
"Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,",
"Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9",
"Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559",
"Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "Ransom:Win32/Haperlock.A",
"display_name": "Ransom:Win32/Haperlock.A",
"target": "/malware/Ransom:Win32/Haperlock.A"
},
{
"id": "Backdoor:Win32/Fynloski.A",
"display_name": "Backdoor:Win32/Fynloski.A",
"target": "/malware/Backdoor:Win32/Fynloski.A"
},
{
"id": "TrojanClicker:Win32/Ellell.A",
"display_name": "TrojanClicker:Win32/Ellell.A",
"target": "/malware/TrojanClicker:Win32/Ellell.A"
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Win.Virus.TeslaCrypt3-2/Custom",
"display_name": "Win.Virus.TeslaCrypt3-2/Custom",
"target": null
},
{
"id": "PWS:Win32/Ymacco.AA50",
"display_name": "PWS:Win32/Ymacco.AA50",
"target": "/malware/PWS:Win32/Ymacco.AA50"
},
{
"id": "Ransom:Win32/Tescrypt",
"display_name": "Ransom:Win32/Tescrypt",
"target": "/malware/Ransom:Win32/Tescrypt"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Trojan:Linux/Xorddos",
"display_name": "Trojan:Linux/Xorddos",
"target": "/malware/Trojan:Linux/Xorddos"
},
{
"id": "Sakula RAT",
"display_name": "Sakula RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66804428b487338dc16f70a7",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2091,
"hostname": 547,
"URL": 1254,
"FileHash-MD5": 425,
"FileHash-SHA256": 2161,
"SSLCertFingerprint": 2,
"FileHash-SHA1": 426,
"CVE": 2,
"email": 8
},
"indicator_count": 6916,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "630 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6680447d3a533233ed48b5e5",
"name": "Trojan:Linux/Xorddos | Trojan:Win32/Zombie.A | TrojanClicker:Win32/Ellell.A ",
"description": "",
"modified": "2024-07-29T16:00:46.118000",
"created": "2024-06-29T17:29:33.778000",
"tags": [
"unknown",
"united",
"virgin islands",
"as51852",
"as33387",
"as19905",
"as44273 host",
"cname",
"nxdomain",
"passive dns",
"url http",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"entries",
"urls",
"files ip",
"address domain",
"ip related",
"pulses otx",
"pulses",
"related tags",
"indicator facts",
"dga domain",
"http",
"unique",
"scan endpoints",
"all scoreblue",
"pulse pulses",
"ip address",
"related nids",
"log id",
"gmtn",
"go daddy",
"authority",
"tls web",
"arizona",
"scottsdale",
"ca issuers",
"b59bn timestamp",
"ff2c217402202b",
"code",
"false",
"url https",
"domain",
"trojan",
"hostname",
"files",
"body",
"date",
"path max",
"age86400 set",
"cookie",
"script urls",
"type",
"mtb may",
"script script",
"trojanspy",
"striven",
"miles2",
"rexxfield",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"date sat",
"gmt server",
"sakula malware",
"historical ssl",
"realteck audio",
"lemon duck",
"iocs",
"tsara brashears",
"loki password",
"stealer",
"windows",
"auction",
"metro",
"core",
"colibri loader",
"hacktool",
"status",
"for privacy",
"creation date",
"record value",
"name servers",
"showing",
"next",
"mtb mar",
"ipv4",
"ransom",
"west domains",
"redacted for",
"gmt location",
"gmt max",
"cowboy",
"encrypt",
"as60558 phoenix",
"susp",
"win32",
"methodpost",
"canada unknown",
"as43350 nforce",
"united kingdom",
"as47846",
"germany unknown",
"briansabey",
"body doubles",
"orbiters",
"malvertising",
"cane",
"get na",
"show",
"as16509",
"delete c",
"sinkhole cookie",
"value snkz",
"cape",
"possible",
"copy",
"nivdort",
"write",
"bayrob",
"malware",
"exploit",
"confirm https",
"impact",
"misc http",
"cvss v2",
"authentication",
"n cvss",
"v3 severity",
"high attack",
"emails",
"cnc",
"alphacrypt cnc",
"beacon",
"as15169 google",
"limited",
"as8560",
"elite",
"AS33387 nocix llc",
"pegasus",
"mercenary",
"cellerebrand",
"cellebrite",
"apple",
"dark",
"apple ios",
"ios",
"apple iphone",
"apple itunes",
"itunes",
"pegasystem",
"data brokers",
"hackers",
"javascript",
"please",
"intel",
"filehash",
"av detections",
"xorddos"
],
"references": [
"http://www.northpoleroute.com/78985064&type=0&resid=5312625",
"espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0",
"Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc",
"Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f",
"Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1",
"IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin",
"IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"Alerts: cape_detected_threat cape_extracted_content",
"https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49",
"Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee",
"Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534",
"TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6",
"PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251",
"PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a",
"PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4",
"https://otx.alienvault.com/indicator/ip/162.222.213.199",
"TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad",
"Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb",
"PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7",
"Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943",
"Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f",
"Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893",
"Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e",
"IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx",
"IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin",
"IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"https://otx.alienvault.com/indicator/ip/185.230.63.186",
"CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148",
"http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz",
"smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]",
"Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://otx.alienvault.com/indicator/ip/63.141.242.45",
"Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo",
"Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,",
"Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9",
"Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559",
"Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"https://hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "Ransom:Win32/Haperlock.A",
"display_name": "Ransom:Win32/Haperlock.A",
"target": "/malware/Ransom:Win32/Haperlock.A"
},
{
"id": "Backdoor:Win32/Fynloski.A",
"display_name": "Backdoor:Win32/Fynloski.A",
"target": "/malware/Backdoor:Win32/Fynloski.A"
},
{
"id": "TrojanClicker:Win32/Ellell.A",
"display_name": "TrojanClicker:Win32/Ellell.A",
"target": "/malware/TrojanClicker:Win32/Ellell.A"
},
{
"id": "Bayrob",
"display_name": "Bayrob",
"target": null
},
{
"id": "Win.Virus.TeslaCrypt3-2/Custom",
"display_name": "Win.Virus.TeslaCrypt3-2/Custom",
"target": null
},
{
"id": "PWS:Win32/Ymacco.AA50",
"display_name": "PWS:Win32/Ymacco.AA50",
"target": "/malware/PWS:Win32/Ymacco.AA50"
},
{
"id": "Ransom:Win32/Tescrypt",
"display_name": "Ransom:Win32/Tescrypt",
"target": "/malware/Ransom:Win32/Tescrypt"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Trojan:Linux/Xorddos",
"display_name": "Trojan:Linux/Xorddos",
"target": "/malware/Trojan:Linux/Xorddos"
},
{
"id": "Sakula RAT",
"display_name": "Sakula RAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66804428b487338dc16f70a7",
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2091,
"hostname": 547,
"URL": 1254,
"FileHash-MD5": 425,
"FileHash-SHA256": 2161,
"SSLCertFingerprint": 2,
"FileHash-SHA1": 426,
"CVE": 2,
"email": 8
},
"indicator_count": 6916,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "630 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65d8d45cc17efd77e0a4f285",
"name": "pcap things",
"description": "pcaps captured from mostly Google Pixel 7a Devices - Telus ISP 'Protected' by Norton / Norton Lifelock, touched by the joys of the U of A",
"modified": "2024-05-02T22:03:35.810000",
"created": "2024-02-23T17:22:36.824000",
"tags": [
"entity",
"dynamitelab",
"online pcap",
"file viewer"
],
"references": [
"https://www.virustotal.com/gui/collection/46ca419c04173d8536d50ac2d0ee2a1cb77d40073f78cbe97afd7eedae3a213a",
"https://www.virustotal.com/graph/embed/g15c17db48fbc4e208081cc74daf8d7ff20f58b08f2f445998a2c37182a1f0ca6?theme=dark",
"https://www.virustotal.com/graph/embed/gfe87d78638614a02ad3affd39fa6f519f01eccc6411c47db97ffd43c9613ec9a?theme=dark",
"https://www.virustotal.com/gui/collection/46ca419c04173d8536d50ac2d0ee2a1cb77d40073f78cbe97afd7eedae3a213a/summary",
"https://www.virustotal.com/graph/embed/g35655762e9374fde91a09af5d29fd4b991c4dde7b5524c4ba1c134983fbfd1a6?theme=dark",
"https://www.virustotal.com/graph/embed/gd282fcb0660e47c0be25fce29a6fe66df492edacdd71434e8d1602c472c9ba6c?theme=dark"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 59,
"FileHash-MD5": 39,
"FileHash-SHA1": 38,
"URL": 1071,
"domain": 161,
"hostname": 897
},
"indicator_count": 2265,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "718 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65c7b86fa120d19bbc88f367",
"name": "Hijacker",
"description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.",
"modified": "2024-03-11T17:01:59.026000",
"created": "2024-02-10T17:54:55.243000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"tsara brashears",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"high level",
"hackers",
"hacktool",
"download",
"malware",
"crypto",
"hijacker",
"monitoring",
"installer",
"tofsee",
"domains domains",
"domains files",
"files files",
"script",
"kgs0",
"kls0",
"relic",
"iframe",
"pe32 executable",
"ms windows",
"intel",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"generic",
"rticon neutral",
"info compiler",
"products id",
"header intel",
"name md5",
"contained",
"type",
"language",
"ico rtgroupicon",
"neutral",
"first",
"utc submissions",
"submitters",
"company limited",
"computer",
"amazonaes",
"china telecom",
"group",
"csc corporate",
"domains",
"malware spreading evader",
"cnc",
"malvertizing",
"milehighmedia",
"trojandropper",
"moved",
"passive dns",
"urls",
"as14576",
"backdoor",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"trojan",
"encrypt",
"body",
"date",
"date hash",
"avast avg",
"mtb may",
"kratona",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"urls https",
"script urls",
"united",
"meta",
"unknown",
"emails",
"name servers",
"search",
"as62597 nsone",
"a domains",
"as397241",
"media",
"next",
"december",
"unlocker",
"threat round",
"apple ios",
"apple phone",
"project",
"blister",
"agent tesla",
"open",
"execution",
"videos",
"strong",
"porn videos",
"watch",
"daddy",
"free",
"top rated",
"most viewed",
"cancel anytime",
"views",
"play",
"black",
"enjoy",
"czech",
"hunk",
"virtool",
"cryp",
"creation date",
"otx telemetry",
"expiration date",
"servers",
"status",
"win32",
"showing",
"domain",
"nxdomain",
"as8075",
"shell code",
"threat",
"cyber espionage",
"cyber stalking",
"danger",
"critical",
"attack",
"treats",
"as15169 google",
"aaaa",
"record value",
"error",
"entries",
"hostname",
"url http",
"http",
"files domain",
"files related",
"shinjiru msc",
"sdn bhd",
"dnssec",
"protect",
"as54455 madeit",
"phishing",
"backdoor",
"contextualizing",
"elevated exposure",
"malvertizing",
"ransom",
"msil",
"hackers for hire",
"hashes",
"http method",
"get http",
"http requests",
"get dns",
"ip traffic",
"memory pattern",
"pattern ips",
"@emreimer",
"iextract2",
"cp cyber",
"denver",
"security",
"siem compliance",
"skip",
"cybersecurity",
"larimer st",
"suite",
"resources cyber",
"risk assessment",
"bill",
"mind",
"delaware",
"pa",
"arizona",
"colorado",
"stalkers",
"deuteronomy 28:7",
"hitmen"
],
"references": [
"honey.exe",
"0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550",
"CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community",
"CS Sigma Rules: Python Initiated Connection by frack113",
"CS Sigma Rules: Use Remove-Item to Delete File by frack113",
"CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)",
"Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"api.login.live.com",
"http://appleid.icloud.com-website33.org/",
"https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]",
"FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]",
"http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]",
"message.htm.com",
"http://pornhub.com/gay/video/search",
"CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111",
"stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "W32.Sality.PE",
"display_name": "W32.Sality.PE",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Virus.Win32.Virut.q",
"display_name": "Virus.Win32.Virut.q",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "TrojanDropper:Win32",
"display_name": "TrojanDropper:Win32",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1415",
"name": "URL Scheme Hijacking",
"display_name": "T1415 - URL Scheme Hijacking"
},
{
"id": "T1122",
"name": "Component Object Model Hijacking",
"display_name": "T1122 - Component Object Model Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 54,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6303,
"FileHash-MD5": 215,
"FileHash-SHA1": 192,
"FileHash-SHA256": 2663,
"domain": 2673,
"hostname": 2686,
"CVE": 2,
"email": 16
},
"indicator_count": 14750,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "770 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b47524b1ec6b5c783a832e",
"name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage",
"description": "",
"modified": "2024-02-25T17:03:29.232000",
"created": "2024-01-27T03:14:44.070000",
"tags": [
"no expiration",
"filehashsha1",
"filehashmd5",
"filehashsha256",
"url http",
"ipv4",
"iocs",
"url https",
"next",
"scan endpoints",
"expiration",
"domain",
"pdf report",
"pcap",
"all scoreblue",
"hostname",
"tagwearable",
"email",
"united",
"as46562",
"unknown",
"as213120",
"search",
"creation date",
"dnssec",
"showing",
"entries",
"as32400 hostway",
"encrypt",
"status",
"date",
"passive dns",
"urls",
"record value",
"apache",
"pragma",
"body",
"as9009 m247",
"pulse pulses",
"files",
"hosting",
"location new",
"as58955 bangmod",
"pulse submit",
"url analysis",
"reverse dns",
"all search",
"otx scoreblue",
"http",
"ip address",
"related nids",
"filehash",
"sha256",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"june",
"copy",
"aaaa",
"a domains",
"address",
"div div",
"span span",
"span h2",
"a li",
"lucky guy",
"span",
"customer",
"location united",
"cookie",
"as54113",
"xamzexpires300",
"hstr",
"github pages",
"request id",
"accept",
"win64",
"found",
"show",
"win32",
"related pulses",
"sea x",
"cache",
"dynamicloader",
"targetname",
"pe32",
"intel",
"ms windows",
"yara rule",
"high",
"write",
"bruteforce",
"location china",
"asn as45090",
"cobalt strike",
"internet",
"iana",
"whois lookups",
"city",
"los angeles",
"orgabusephone",
"orgid",
"iana ref",
"net192",
"net1920000",
"ssl cert",
"ssl certificate",
"tlsv1 apr",
"cobaltstrike",
"default",
"read",
"trojan",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"malware",
"no entries",
"entries found",
"delete",
"found pe",
"stus",
"cnus",
"tlsv1",
"as20940",
"as16625 akamai",
"asnone united",
"emails",
"microsoft way",
"as8075",
"united kingdom",
"aaaa nxdomain",
"a nxdomain",
"nxdomain",
"as8068",
"as3356 level",
"as15133 verizon",
"as22822",
"as20446",
"cname",
"honeypot",
"read c",
"regsetvalueexa",
"regdword",
"as29789",
"moved",
"morphex",
"cryp",
"susp"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Brazil"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65b3fb6752ac464268b971b1",
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1530,
"FileHash-MD5": 2428,
"FileHash-SHA1": 2136,
"FileHash-SHA256": 5239,
"domain": 3740,
"hostname": 2560,
"CVE": 5,
"email": 19,
"SSLCertFingerprint": 4
},
"indicator_count": 17661,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "785 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b80982381b53c66f0dd1e1",
"name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage",
"description": "",
"modified": "2024-02-25T17:03:29.232000",
"created": "2024-01-29T20:24:34.644000",
"tags": [
"no expiration",
"filehashsha1",
"filehashmd5",
"filehashsha256",
"url http",
"ipv4",
"iocs",
"url https",
"next",
"scan endpoints",
"expiration",
"domain",
"pdf report",
"pcap",
"all scoreblue",
"hostname",
"tagwearable",
"email",
"united",
"as46562",
"unknown",
"as213120",
"search",
"creation date",
"dnssec",
"showing",
"entries",
"as32400 hostway",
"encrypt",
"status",
"date",
"passive dns",
"urls",
"record value",
"apache",
"pragma",
"body",
"as9009 m247",
"pulse pulses",
"files",
"hosting",
"location new",
"as58955 bangmod",
"pulse submit",
"url analysis",
"reverse dns",
"all search",
"otx scoreblue",
"http",
"ip address",
"related nids",
"filehash",
"sha256",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"june",
"copy",
"aaaa",
"a domains",
"address",
"div div",
"span span",
"span h2",
"a li",
"lucky guy",
"span",
"customer",
"location united",
"cookie",
"as54113",
"xamzexpires300",
"hstr",
"github pages",
"request id",
"accept",
"win64",
"found",
"show",
"win32",
"related pulses",
"sea x",
"cache",
"dynamicloader",
"targetname",
"pe32",
"intel",
"ms windows",
"yara rule",
"high",
"write",
"bruteforce",
"location china",
"asn as45090",
"cobalt strike",
"internet",
"iana",
"whois lookups",
"city",
"los angeles",
"orgabusephone",
"orgid",
"iana ref",
"net192",
"net1920000",
"ssl cert",
"ssl certificate",
"tlsv1 apr",
"cobaltstrike",
"default",
"read",
"trojan",
"ghost rat",
"webtoolbar",
"nanocore rat",
"gamehack",
"redlinestealer",
"installcore",
"installbrain",
"emotet",
"tofsee",
"bradesco",
"agent tesla",
"trojanspy",
"suppobox",
"occamy",
"dnspionage",
"stealer",
"malware",
"no entries",
"entries found",
"delete",
"found pe",
"stus",
"cnus",
"tlsv1",
"as20940",
"as16625 akamai",
"asnone united",
"emails",
"microsoft way",
"as8075",
"united kingdom",
"aaaa nxdomain",
"a nxdomain",
"nxdomain",
"as8068",
"as3356 level",
"as15133 verizon",
"as22822",
"as20446",
"cname",
"honeypot",
"read c",
"regsetvalueexa",
"regdword",
"as29789",
"moved",
"morphex",
"cryp",
"susp"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Brazil"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65b47524b1ec6b5c783a832e",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1530,
"FileHash-MD5": 2428,
"FileHash-SHA1": 2136,
"FileHash-SHA256": 5239,
"domain": 3740,
"hostname": 2560,
"CVE": 5,
"email": 19,
"SSLCertFingerprint": 4
},
"indicator_count": 17661,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "785 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659d15c13f838593a01984b6",
"name": "Project Hilo",
"description": "",
"modified": "2024-02-08T09:05:26.319000",
"created": "2024-01-09T09:45:37.584000",
"tags": [
"creation date",
"servers",
"passive dns",
"urls",
"search",
"name servers",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"showing",
"files",
"files ip",
"whois record",
"ssl certificate",
"historical ssl",
"resolutions",
"whois whois",
"siblings",
"trojan bank",
"m referrer",
"subdomains",
"execution",
"dropped",
"whois",
"bank",
"parent siblings",
"referrer",
"as8075",
"united",
"nxdomain",
"united kingdom",
"south korea",
"unknown",
"mascore2",
"nct1",
"arc1",
"ems1",
"localeenus",
"htd1",
"lang1033",
"devlangen"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 536,
"email": 3,
"hostname": 1486,
"URL": 2496,
"FileHash-SHA256": 784,
"FileHash-MD5": 27,
"FileHash-SHA1": 13
},
"indicator_count": 5345,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 218,
"modified_text": "802 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659ab3389d6c91dc01801fe5",
"name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/",
"description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears",
"modified": "2024-02-06T14:00:04.985000",
"created": "2024-01-07T14:20:40.610000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"redacted for",
"privacy tech",
"privacy admin",
"date",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"whois record",
"ssl certificate",
"historical ssl",
"whois whois",
"september",
"redline stealer",
"whois",
"threat roundup",
"bangladesh",
"communicating",
"prynt stealer",
"banker",
"keylogger",
"dtrack",
"prynt",
"name verdict",
"falcon sandbox",
"pattern match",
"jpeg image",
"jfif",
"ascii text",
"united",
"appdata",
"file",
"indicator",
"et tor",
"known tor",
"class",
"unknown",
"general",
"hybrid",
"local",
"win64",
"click",
"twitter",
"strings",
"generator",
"critical",
"error",
"trident",
"cascade",
"darpa",
"registrar",
"rdds service",
"record",
"registrant",
"admin",
"tech contact",
"whois service",
"form",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"headers nel",
"contentencoding",
"gmt connection",
"search",
"for privacy",
"status",
"showing",
"passive dns",
"urls",
"ionos se",
"creation date",
"next",
"aaaa",
"pulse pulses",
"files",
"united kingdom",
"whitelisted",
"worm",
"gmt contenttype",
"scan endpoints",
"all octoseek",
"ipv4",
"body",
"http",
"unique",
"screenshot",
"url http",
"ip address",
"internet se",
"emails",
"name servers",
"dnssec",
"as63949 linode",
"all search",
"otx octoseek",
"related nids",
"reverse dns",
"netherlands asn",
"contacted",
"resolutions",
"referrer",
"mirai malware",
"urls http",
"parent referrer",
"certificate",
"record value",
"entries",
"dynamicloader",
"yara rule",
"high",
"sinkhole cookie",
"et trojan",
"medium",
"yara detections",
"virtool",
"value snkz",
"less see",
"possible",
"august",
"copy",
"expiro",
"public folder",
"pictures",
"videos",
"music",
"anomalous file",
"media player",
"url https",
"delete c",
"ms windows",
"pe32",
"intel",
"windows nt",
"wow64",
"khtml",
"gecko",
"query",
"write",
"malware",
"template",
"findwindowa",
"ollydbg",
"regsetvalueexa",
"regdword",
"high process",
"x8bxe5",
"regbinary",
"injection t1055",
"t1055",
"zeppelin",
"win32",
"internal",
"malware beacon",
"a checkin",
"create c",
"read c",
"write c",
"msie",
"suspicious",
"slcc2",
"media center",
"as20940",
"as2914 ntt",
"as16625 akamai",
"a domains",
"cdata",
"script",
"as8068",
"mtb oct",
"location canada",
"trojanspy",
"xpire.info",
"searchmeup",
"cname",
"as35994 akamai",
"as14061",
"as9009 m247",
"samples",
"as25577 ide",
"hostnames",
"show",
"info compiler",
"products",
"vs2008 sp1",
"vs2008",
"vs2010",
"header target",
"machine intel",
"utc entry",
"point",
"sections",
"info",
"hashes c2ae",
"zenbox",
"detections file",
"name",
"html",
"win32 exe",
"javascript",
"contacted ip",
"ip detections",
"gandi sas",
"godaddy online",
"cayman",
"dynadot",
"domains",
"psiusa",
"domain robot",
"dynadot inc",
"net technology",
"tsara brashears",
"apple phone",
"unlocker",
"shell code",
"simda",
"amazon 02",
"metro",
"infected",
"qakbot"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Prynt",
"display_name": "Prynt",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Xpire.info",
"display_name": "Xpire.info",
"target": null
},
{
"id": "Searchmeup",
"display_name": "Searchmeup",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2129,
"FileHash-SHA1": 1459,
"FileHash-SHA256": 5050,
"URL": 7341,
"domain": 3041,
"hostname": 3214,
"email": 12,
"CVE": 1
},
"indicator_count": 22247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "804 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659ab33e614882a4a7451ca8",
"name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/",
"description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears",
"modified": "2024-02-06T14:00:04.985000",
"created": "2024-01-07T14:20:46.936000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls https",
"algorithm",
"data",
"v3 serial",
"number",
"cus cnr3",
"olet",
"subject public",
"key info",
"key algorithm",
"key identifier",
"redacted for",
"privacy tech",
"privacy admin",
"date",
"server",
"country",
"organization",
"postal code",
"stateprovince",
"code",
"whois record",
"ssl certificate",
"historical ssl",
"whois whois",
"september",
"redline stealer",
"whois",
"threat roundup",
"bangladesh",
"communicating",
"prynt stealer",
"banker",
"keylogger",
"dtrack",
"prynt",
"name verdict",
"falcon sandbox",
"pattern match",
"jpeg image",
"jfif",
"ascii text",
"united",
"appdata",
"file",
"indicator",
"et tor",
"known tor",
"class",
"unknown",
"general",
"hybrid",
"local",
"win64",
"click",
"twitter",
"strings",
"generator",
"critical",
"error",
"trident",
"cascade",
"darpa",
"registrar",
"rdds service",
"record",
"registrant",
"admin",
"tech contact",
"whois service",
"form",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"headers nel",
"contentencoding",
"gmt connection",
"search",
"for privacy",
"status",
"showing",
"passive dns",
"urls",
"ionos se",
"creation date",
"next",
"aaaa",
"pulse pulses",
"files",
"united kingdom",
"whitelisted",
"worm",
"gmt contenttype",
"scan endpoints",
"all octoseek",
"ipv4",
"body",
"http",
"unique",
"screenshot",
"url http",
"ip address",
"internet se",
"emails",
"name servers",
"dnssec",
"as63949 linode",
"all search",
"otx octoseek",
"related nids",
"reverse dns",
"netherlands asn",
"contacted",
"resolutions",
"referrer",
"mirai malware",
"urls http",
"parent referrer",
"certificate",
"record value",
"entries",
"dynamicloader",
"yara rule",
"high",
"sinkhole cookie",
"et trojan",
"medium",
"yara detections",
"virtool",
"value snkz",
"less see",
"possible",
"august",
"copy",
"expiro",
"public folder",
"pictures",
"videos",
"music",
"anomalous file",
"media player",
"url https",
"delete c",
"ms windows",
"pe32",
"intel",
"windows nt",
"wow64",
"khtml",
"gecko",
"query",
"write",
"malware",
"template",
"findwindowa",
"ollydbg",
"regsetvalueexa",
"regdword",
"high process",
"x8bxe5",
"regbinary",
"injection t1055",
"t1055",
"zeppelin",
"win32",
"internal",
"malware beacon",
"a checkin",
"create c",
"read c",
"write c",
"msie",
"suspicious",
"slcc2",
"media center",
"as20940",
"as2914 ntt",
"as16625 akamai",
"a domains",
"cdata",
"script",
"as8068",
"mtb oct",
"location canada",
"trojanspy",
"xpire.info",
"searchmeup",
"cname",
"as35994 akamai",
"as14061",
"as9009 m247",
"samples",
"as25577 ide",
"hostnames",
"show",
"info compiler",
"products",
"vs2008 sp1",
"vs2008",
"vs2010",
"header target",
"machine intel",
"utc entry",
"point",
"sections",
"info",
"hashes c2ae",
"zenbox",
"detections file",
"name",
"html",
"win32 exe",
"javascript",
"contacted ip",
"ip detections",
"gandi sas",
"godaddy online",
"cayman",
"dynadot",
"domains",
"psiusa",
"domain robot",
"dynadot inc",
"net technology",
"tsara brashears",
"apple phone",
"unlocker",
"shell code",
"simda",
"amazon 02",
"metro",
"infected",
"qakbot"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Prynt",
"display_name": "Prynt",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Xpire.info",
"display_name": "Xpire.info",
"target": null
},
{
"id": "Searchmeup",
"display_name": "Searchmeup",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2129,
"FileHash-SHA1": 1459,
"FileHash-SHA256": 5050,
"URL": 7341,
"domain": 3041,
"hostname": 3214,
"email": 12,
"CVE": 1
},
"indicator_count": 22247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "804 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a4898fa85cad0af83e032d",
"name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ",
"description": "",
"modified": "2024-02-04T18:00:29.833000",
"created": "2024-01-15T01:25:35.060000",
"tags": [
"ssl certificate",
"whois record",
"execution",
"contacted",
"dropped",
"historical ssl",
"communicating",
"referrer",
"stolec kradnie",
"vt graph",
"first",
"utc submissions",
"submitters",
"amazonaes",
"amazon02",
"cloudflarenet",
"gandi sas",
"csc corporate",
"ltd dba",
"com laude",
"facebook",
"paris",
"twitter",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"url https",
"samples",
"bundled",
"tracking",
"tsara brashears",
"malware hunting",
"hacktool",
"emotet",
"copy",
"brashears",
"dynadot inc",
"enom",
"srsplus",
"spaceship",
"CVE-2017-0147",
"spy cve",
"pegasus",
"CVE-2017-0147 also found in Pegasus",
"mile high",
"logos",
"trademarks",
"aylo premium",
"click",
"record keeping",
"statement",
"all rights",
"reserved",
"vendo",
"hostnames",
"urls https",
"namecheap inc",
"feeds ioc",
"maltiverse",
"analyze",
"fastly",
"mb installer",
"helper",
"summary iocs",
"graph community",
"urls",
"urls http",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"body",
"date",
"gmt server",
"user agent",
"content type",
"encrypt",
"accept",
"as136800 sun",
"ipv4",
"pulse submit",
"url analysis",
"files",
"location hong",
"kong asn",
"dns resolutions",
"dinkle threat",
"mirai",
"hallrender",
"briansabey",
"brian sabey",
"mark sabey",
"uche6vol",
"uc health medical campus colorado medical campus",
"abuse"
],
"references": [
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"CVE-2017-0147",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"114.114.114.114 - Tulach Malware",
"Targeting",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"tsarabrashears.com",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"sweetheartvideo.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"www.dead-speak.com",
"Certificate Subject CN=brazzerspesonals.com",
"http://r3.o.lencr.org",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"104.247.75.218 | [cnc ]",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BRASHEARS",
"display_name": "BRASHEARS",
"target": null
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "TULACH",
"display_name": "TULACH",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "SPACESHIP",
"display_name": "SPACESHIP",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Virus:DOS/Paris",
"display_name": "Virus:DOS/Paris",
"target": "/malware/Virus:DOS/Paris"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "659864448507cc1752ff6456",
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 885,
"FileHash-SHA1": 505,
"FileHash-SHA256": 5051,
"URL": 12316,
"domain": 3944,
"hostname": 4449,
"CVE": 2
},
"indicator_count": 27152,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659864357d1d3185efc5c112",
"name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus",
"description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.",
"modified": "2024-02-04T18:00:29.833000",
"created": "2024-01-05T20:19:01.457000",
"tags": [
"ssl certificate",
"whois record",
"execution",
"contacted",
"dropped",
"historical ssl",
"communicating",
"referrer",
"stolec kradnie",
"vt graph",
"first",
"utc submissions",
"submitters",
"amazonaes",
"amazon02",
"cloudflarenet",
"gandi sas",
"csc corporate",
"ltd dba",
"com laude",
"facebook",
"paris",
"twitter",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"url https",
"samples",
"bundled",
"tracking",
"tsara brashears",
"malware hunting",
"hacktool",
"emotet",
"copy",
"brashears",
"dynadot inc",
"enom",
"srsplus",
"spaceship",
"CVE-2017-0147",
"spy cve",
"pegasus",
"CVE-2017-0147 also found in Pegasus",
"mile high",
"logos",
"trademarks",
"aylo premium",
"click",
"record keeping",
"statement",
"all rights",
"reserved",
"vendo",
"hostnames",
"urls https",
"namecheap inc",
"feeds ioc",
"maltiverse",
"analyze",
"fastly",
"mb installer",
"helper",
"summary iocs",
"graph community",
"urls",
"urls http",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"body",
"date",
"gmt server",
"user agent",
"content type",
"encrypt",
"accept",
"as136800 sun",
"ipv4",
"pulse submit",
"url analysis",
"files",
"location hong",
"kong asn",
"dns resolutions",
"dinkle threat",
"mirai",
"hallrender",
"briansabey",
"brian sabey",
"mark sabey",
"uche6vol",
"uc health medical campus colorado medical campus",
"abuse"
],
"references": [
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"CVE-2017-0147",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"114.114.114.114 - Tulach Malware",
"Targeting",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"tsarabrashears.com",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"sweetheartvideo.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"www.dead-speak.com",
"Certificate Subject CN=brazzerspesonals.com",
"http://r3.o.lencr.org",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"104.247.75.218 | [cnc ]",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BRASHEARS",
"display_name": "BRASHEARS",
"target": null
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "TULACH",
"display_name": "TULACH",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "SPACESHIP",
"display_name": "SPACESHIP",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Virus:DOS/Paris",
"display_name": "Virus:DOS/Paris",
"target": "/malware/Virus:DOS/Paris"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 885,
"FileHash-SHA1": 505,
"FileHash-SHA256": 5051,
"URL": 12316,
"domain": 3944,
"hostname": 4449,
"CVE": 2
},
"indicator_count": 27152,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659864448507cc1752ff6456",
"name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus",
"description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.",
"modified": "2024-02-04T18:00:29.833000",
"created": "2024-01-05T20:19:16.886000",
"tags": [
"ssl certificate",
"whois record",
"execution",
"contacted",
"dropped",
"historical ssl",
"communicating",
"referrer",
"stolec kradnie",
"vt graph",
"first",
"utc submissions",
"submitters",
"amazonaes",
"amazon02",
"cloudflarenet",
"gandi sas",
"csc corporate",
"ltd dba",
"com laude",
"facebook",
"paris",
"twitter",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"url https",
"samples",
"bundled",
"tracking",
"tsara brashears",
"malware hunting",
"hacktool",
"emotet",
"copy",
"brashears",
"dynadot inc",
"enom",
"srsplus",
"spaceship",
"CVE-2017-0147",
"spy cve",
"pegasus",
"CVE-2017-0147 also found in Pegasus",
"mile high",
"logos",
"trademarks",
"aylo premium",
"click",
"record keeping",
"statement",
"all rights",
"reserved",
"vendo",
"hostnames",
"urls https",
"namecheap inc",
"feeds ioc",
"maltiverse",
"analyze",
"fastly",
"mb installer",
"helper",
"summary iocs",
"graph community",
"urls",
"urls http",
"united",
"unknown",
"msie",
"chrome",
"passive dns",
"body",
"date",
"gmt server",
"user agent",
"content type",
"encrypt",
"accept",
"as136800 sun",
"ipv4",
"pulse submit",
"url analysis",
"files",
"location hong",
"kong asn",
"dns resolutions",
"dinkle threat",
"mirai",
"hallrender",
"briansabey",
"brian sabey",
"mark sabey",
"uche6vol",
"uc health medical campus colorado medical campus",
"abuse"
],
"references": [
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"CVE-2017-0147",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"114.114.114.114 - Tulach Malware",
"Targeting",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"tsarabrashears.com",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"sweetheartvideo.com",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"www.dead-speak.com",
"Certificate Subject CN=brazzerspesonals.com",
"http://r3.o.lencr.org",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"104.247.75.218 | [cnc ]",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BRASHEARS",
"display_name": "BRASHEARS",
"target": null
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "TULACH",
"display_name": "TULACH",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "CVE-2017-0147",
"display_name": "CVE-2017-0147",
"target": null
},
{
"id": "SPACESHIP",
"display_name": "SPACESHIP",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Virus:DOS/Paris",
"display_name": "Virus:DOS/Paris",
"target": "/malware/Virus:DOS/Paris"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 885,
"FileHash-SHA1": 505,
"FileHash-SHA256": 5051,
"URL": 12316,
"domain": 3944,
"hostname": 4449,
"CVE": 2
},
"indicator_count": 27152,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6552d60aae6e1b3c22455088",
"name": "Hive 0065",
"description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
"modified": "2023-12-13T16:00:45.799000",
"created": "2023-11-14T02:06:02.329000",
"tags": [
"united",
"as8075",
"creation date",
"unknown",
"search",
"entries",
"asnone country",
"scan endpoints",
"all search",
"otx octoseek",
"related domains",
"show",
"domain related",
"xbox",
"whois record",
"contacted",
"whois whois",
"ssl certificate",
"communicating",
"referrer",
"execution",
"historical ssl",
"bundled",
"family",
"lolkek",
"formbook",
"skynet",
"lockbit",
"ursnif",
"attack",
"core"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 4276,
"email": 3,
"hostname": 2288,
"FileHash-MD5": 51,
"FileHash-SHA1": 49,
"FileHash-SHA256": 2756,
"URL": 8696,
"CVE": 1
},
"indicator_count": 18120,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "859 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6552d6f5f56d2e9cd9e18a30",
"name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
"description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
"modified": "2023-12-13T16:00:45.799000",
"created": "2023-11-14T02:09:57.370000",
"tags": [
"united",
"as8075",
"creation date",
"unknown",
"search",
"entries",
"asnone country",
"scan endpoints",
"all search",
"otx octoseek",
"related domains",
"show",
"domain related",
"xbox",
"whois record",
"contacted",
"whois whois",
"ssl certificate",
"communicating",
"referrer",
"execution",
"historical ssl",
"bundled",
"family",
"lolkek",
"formbook",
"skynet",
"lockbit",
"ursnif",
"attack",
"core"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 4276,
"email": 3,
"hostname": 2288,
"FileHash-MD5": 51,
"FileHash-SHA1": 49,
"FileHash-SHA256": 2756,
"URL": 8696,
"CVE": 1
},
"indicator_count": 18120,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "859 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config",
"Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0",
"smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]",
"Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"https://www.virustotal.com/graph/embed/gd67698ddea1e47ca9b50e0e0bf5b34ffbc6e4305328d4dfc997a86046da0cda6?theme=dark",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior",
"IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
"PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7",
"Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1",
"Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread",
"Yara Detections: Mirai_Botnet_Malware",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"https://otx.alienvault.com/indicator/ip/185.230.63.186",
"Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
"https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
"FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]",
"Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"honey.exe",
"Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534",
"IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
"tsarabrashears.com",
"Government of AB https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecce OTX AlienVault 2096",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Verification failure observed in automated verification handlers during sandbox replay.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943",
"http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz",
"http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61",
"config.txt",
"Alerts: cape_detected_threat cape_extracted_content",
"IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
"https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264",
"config-5.15.44-Re4son-v7+",
"https://otx.alienvault.com/indicator/ip/162.222.213.199",
"stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats",
"https://www.virustotal.com/gui/collection/2e519dcc314b2c036e7f6b5e7e691bc359a1300fa0521022aef0ce66ce48f1c7/iocs",
"https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules",
"http://r3.o.lencr.org",
"Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx",
"https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
"config-5.15.44-Re4son-v8+",
"PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a",
"https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"https://www.adultforce.com/ [malvertizing Tsara Brashears]",
"Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc",
"Query to a *.top domain - Likely Hostile Query for .cc TLD",
"Certificate Subject CN=brazzerspesonals.com",
"Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e",
"https://hallrender.com/attorney/brian-sabey",
"https://www.virustotal.com/graph/embed/gfe87d78638614a02ad3affd39fa6f519f01eccc6411c47db97ffd43c9613ec9a?theme=dark",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49",
"https://otx.alienvault.com/indicator/ip/63.141.242.45",
"Yara Detections: Delphi",
"TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02",
"https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark",
"sweetheartvideo.com",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"https://www.albertahealthservices.ca/lab/lab.aspx",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)",
"Office Application Initiated Network Connection To Non-Local IP",
"https://pin.it/ malicious Pinterest redirect targets Tsara Brashears",
"Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148",
"Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"LICENCE.broadcom",
"IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs",
"https://www.virustotal.com/graph/embed/g35655762e9374fde91a09af5d29fd4b991c4dde7b5524c4ba1c134983fbfd1a6?theme=dark",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
"Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
"Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
"Win.Dropper.LokiBot-9975730-0",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"grub_background.sh",
"https://www.virustotal.com/gui/collection/2e519dcc314b2c036e7f6b5e7e691bc359a1300fa0521022aef0ce66ce48f1c7",
"Scan ID: S-5thsJ4jlWSA",
"www.dead-speak.com",
"http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]",
"https://www.virustotal.com/graph/embed/g7eeb81c43b7e4ea6b1ec5d4716cae14e7d2751b6451748739bb78e5714281967?theme=dark",
"COPYING.linux",
"https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details",
"http://www.northpoleroute.com/78985064&type=0&resid=5312625",
"PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4",
"Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,",
"",
"ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1",
"Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"DISTINCTIO8.pdf",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe",
"IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
"https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6",
"config-5.15.44-Re4son-v7l+",
"CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec",
"api.login.live.com",
"QuantumFiber.com a 2nd look",
"https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"CS Sigma Rules: Use Remove-Item to Delete File by frack113",
"Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9",
"config-5.15.44-Re4son-v8l+",
"IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz",
"104.247.75.218 | [cnc ]",
"TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe",
"TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6",
"114.114.114.114 - Tulach Malware",
"Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845",
"www.governmentattic.org [privilege: malicious malware downloading]",
"https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark",
"0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550",
"Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+",
"https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark",
"Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,",
"https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark",
"Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin",
"networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"http://pornhub.com/gay/video/search",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"CS Sigma Rules: Python Initiated Connection by frack113",
"https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79",
"Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
"Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"https://www.virustotal.com/gui/collection/46ca419c04173d8536d50ac2d0ee2a1cb77d40073f78cbe97afd7eedae3a213a/summary",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad",
"http://appleid.icloud.com-website33.org/",
"https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96",
"Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0",
"Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
"Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS",
"PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb",
"Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]",
"www.pornhubselect.com | pornhub.software",
"Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad",
"espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net",
"message.htm.com",
"Unix.Malware.Generic:",
"wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com",
"Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction",
"https://www.virustotal.com/graph/embed/gd282fcb0660e47c0be25fce29a6fe66df492edacdd71434e8d1602c472c9ba6c?theme=dark",
"\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147",
"CVE-2017-0147",
"https://www.virustotal.com/gui/collection/46ca419c04173d8536d50ac2d0ee2a1cb77d40073f78cbe97afd7eedae3a213a",
"https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]",
"https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark",
"IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity",
"https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada",
"13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion",
"Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
"Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO",
"Yara Detections: is__elf , DemonBot",
"https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network",
"CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02",
"UAlberta = https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665da3e8886f5e4ecbe",
"PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251",
"Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0",
"IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon",
"IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee",
"README",
"config-5.15.44-Re4son+",
"Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details",
"Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]",
"Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"https://www.virustotal.com/graph/embed/g15c17db48fbc4e208081cc74daf8d7ff20f58b08f2f445998a2c37182a1f0ca6?theme=dark",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559",
"IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
"https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark",
"IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
"theme.txt",
"Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
"https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]",
"https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary",
"https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys",
"Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Targeting",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin",
"IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
"https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data",
"Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"cmdline.txt",
"Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f",
"IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"https://tulach.cc/ | tulach.cc |",
"IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.",
"https://www.virustotal.com/graph/embed/g1ed56ef53af34510a0e0ee0c2d204f066a8684fa5aeb4e69aef49403742ef6a5?theme=dark"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Unix",
"Win.malware.qshell-9875653-0",
"Win.dropper.lokibot-9975730-0",
"Pdf:urlmal-inf\\ [trj]",
"Virus:win32/sivis.a",
"Hallrender",
"Pegasus for ios - s0289",
"Virtool:win32/obfuscator",
"Ransom",
"Cve-2023-27350",
"Sakula rat",
"Virtool",
"Prynt",
"Virus.win32.virut.q",
"Trojanspy:win32/nivdort.cw",
"Cve-2017-0147",
"Trojan:win32/zombie.a",
"Ransom:win32/wannacrypt.h",
"#lowfimalf_gen",
"Alf:pua:block:iobit",
"Pegasus for android - mob-s0032",
"Alf:ransom:win32/babax",
"Aws",
"Alf:heraklezeval:trojan:win32/c2lop",
"Win.trojan.installcore-1177",
"#exploit:win32/blofeldscat",
"Tel:exploit:html/pswebkit",
"Elf:mirai-ahc\\ [trj]",
"Ransom:win32/tescrypt",
"Backdoor:win32/tofsee",
"Bayrob",
"Nids",
"Ransom:win32/haperlock",
"Unix.trojan.mirai-6981169-0",
"Trojanclicker:win32/ellell.a",
"Unix.malware.generic-9875933-0",
"Tel:createscheduledtask",
"Brashears",
"Cve-2017-17215",
"Pws:win32/ymacco.aa50",
"Cve-2014-8361",
"Trojanspy",
"Onelouder",
"Trojan:linux/xorddos",
"Backdoor:win32/fynloski.a",
"#lowfi:hstr:pyinstaller_packaged_script",
"Ransomware",
"Pws:win32/qqpass.b!mtb",
"Unix.trojan.mirai-7100807-0",
"Spaceship",
"W32.sality.pe",
"Win.malware.oxypumper-6900435-0",
"Win.ransomware.wannacry-6313787-0",
"Relic",
"Ransom:win32/haperlock.a",
"Virus:dos/paris",
"Tofsee",
"Mirai",
"Worm:win32/mofksys",
"Sabey",
"Win.keylogger.banbra-9936388-0",
"Alf:program:win32/webcompanion",
"Searchmeup",
"Trojandownloader:win32/upatre",
"Alf:trojan:win32/formbook",
"Trojan:win32/qbot",
"Hallgrand",
"Xpire.info",
"Tulach",
"Trojan:win32/neurevt",
"Sf:wncryldr-a\\ [trj]",
"Win.trojan.sarwent-10012602-0",
"Ddos:linux/gafgyt.ya!mtb",
"M1",
"Trojandropper:win32",
"#lowfienabledtcontinueafterunpacking",
"Hacktool",
"Win.virus.teslacrypt3-2/custom",
"Virtool:win32/injector"
],
"industries": [
"Energy",
"Technology",
"Telecommunications",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Healthcare",
"Agriculture",
"Finance",
"Transportation",
"Civilian society",
"Government",
"Education"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc70fcbd3f613502e1f7",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T09:28:38.049000",
"created": "2026-04-17T06:00:16.867000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 442,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24911,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1cc6fd3c4022e08db781d",
"name": "order clone by aclause21 Public",
"description": "",
"modified": "2026-04-17T06:51:33.372000",
"created": "2026-04-17T06:00:15.760000",
"tags": [
"access ta0001",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"catalog tree",
"ob0005 defense",
"evasion ob0006",
"impact ob0008",
"hashes cape",
"sandbox",
"docguard",
"yomi hunter",
"zenbox",
"ip traffic",
"pattern domains",
"memory pattern",
"urls https",
"adversaries",
"mitre att",
"t1189 found",
"clickable urls",
"pdf execution",
"t1036",
"creates",
"hide artifacts",
"exploitation",
"e1564 hidden",
"files",
"discovery e1082",
"e1203 data",
"vhash",
"ssdeep",
"file type",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"file size",
"united",
"as32934",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"status",
"search",
"showing",
"server error",
"certificate",
"creation date",
"high assurance",
"server ca",
"date",
"body",
"win32",
"ransom",
"entries",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"show",
"malware",
"copy",
"push",
"write",
"aaaa",
"nxdomain",
"united kingdom",
"thailand",
"vietnam",
"as45430",
"honduras",
"indonesia",
"mexico",
"slovakia",
"dynamicloader",
"yara rule",
"high",
"ekyxe",
"xe e",
"eofae",
"ee edcje4j",
"tofsee",
"windows",
"medium",
"stream",
"grum",
"as15169 google",
"pulses",
"record value",
"error",
"cname",
"name servers",
"ireland",
"next",
"federation asn",
"as49505",
"labs pulses",
"trojan",
"trojandropper",
"related pulses",
"file samples",
"files matching",
"date hash",
"copyright",
"all search",
"reverse dns",
"location united",
"emails info",
"expiration date",
"as51167 contabo",
"germany unknown",
"a nxdomain",
"as40021 contabo",
"encrypt",
"url http",
"http",
"ip address",
"related nids",
"files location",
"ddos",
"activity",
"checkin",
"win64",
"mirai",
"hosting",
"files ip",
"address",
"czechia unknown",
"as174 cogent",
"asnone germany",
"as15598",
"as16625 akamai",
"asnone united",
"as20940",
"as35994 akamai",
"as12337 noris",
"pulse submit",
"url analysis",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"suspicious",
"virtool",
"emails",
"domain name",
"code",
"brazil",
"poland",
"domain",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"exploit",
"externalport",
"internalport",
"http headers",
"home network",
"demonbot",
"andariel",
"yara detections",
"malware traffic",
"nids",
"dns query",
"google safe",
"browsing",
"whois",
"virustotal",
"mtb apr",
"asnone related",
"open",
"hash avast",
"avg clamav",
"msdefender apr",
"as8075",
"content type",
"access",
"cp bus",
"cur cono",
"fin ivdo",
"onl our",
"phy samo",
"overview ip",
"flag united",
"hostname",
"files domain",
"as8068",
"trojan features",
"rsa tls",
"issuing ca",
"mirai variant",
"useragent",
"inbound",
"realtek sdk",
"miniigd upnp",
"soap command",
"activity mirai",
"helloworld",
"users",
"alerts",
"anomalous file",
"recycle bin",
"filehash",
"av detections",
"memcommit",
"read c",
"memreserve",
"for privacy",
"china unknown",
"ag alberto",
"pedraz",
"holidaycheck ag",
"project pi",
"immobilien ag",
"puma se",
"kurt walther",
"ag ingo",
"kraupa",
"timo salzsieder",
"record type",
"ttl value",
"msms57295540",
"subdomains",
"ireland unknown",
"analyzer paste",
"iocs",
"samples",
"regsetvalueexa",
"default",
"regdword",
"module load",
"t1129",
"http request",
"process32nextw",
"regbinary",
"oxypumper",
"tools",
"dock",
"april",
"persistence",
"execution",
"download",
"as62597 nsone",
"echo request",
"sweep",
"payload hello",
"world",
"total",
"please",
"xport",
"main",
"look",
"install",
"servers",
"found",
"cnapple public",
"accept",
"chrome",
"moved",
"ssl certificate",
"write c",
"installcore",
"june",
"delphi",
"as47846",
"cookie",
"as32787 akamai",
"as714 apple",
"m1",
"onelouder",
"brian sabey",
"denver colorado",
"fakedout threat",
"gmt content",
"x cache",
"div div",
"as8972 host",
"france unknown",
"registrar",
"otx scoreblue",
"address domain",
"as24940 hetzner",
"as44273 host",
"asn as15598",
"trojanspy",
"mail spammer",
"germany mail",
"spammer",
"hichina",
"data redacted",
"a domains",
"wow64",
"slcc2",
"media center",
"port",
"powershell",
"urls http",
"tptjsw",
"virus",
"ids detections",
"germany",
"as8560",
"austria",
"as1921",
"as14061",
"whitelisted",
"as16276",
"script urls",
"as16552 tiggee",
"as9009 m247",
"meta",
"as29789",
"detected m1",
"mtb aug",
"server",
"as397241",
"cryp",
"hostmaster",
"networks",
"as19024",
"gmt setcookie",
"delete",
"russia as49505",
"sinkhole cookie",
"value snkz",
"pe32",
"possible",
"susp",
"lnmp",
"lnmp a",
"licess",
"shell",
"as63949 linode",
"as133618",
"as21342",
"cve201717215",
"huawei remote",
"huawei hg532",
"malware worm",
"gafgyt",
"exploit none",
"binbusybox",
"delete c",
"odigicert inc",
"stwashington",
"lredmond",
"rsa ca",
"cape",
"nondns",
"denver",
"redacted for",
"method status",
"url hostname",
"ip country",
"type get",
"date tue",
"gmt contenttype",
"connection",
"cachecontrol",
"expires thu",
"gmt vary",
"poland unknown",
"title",
"script domains",
"updated date",
"serce internetu",
"cnc beacon",
"javascript",
"wsasend",
"post",
"delete shadows",
"all quiet",
"t1047",
"instrumentation",
"rpcs",
"ms windows",
"asnone dns",
"http host",
"ip check",
"sha256",
"bits",
"adware malware",
"etpro malware",
"bios",
"guard",
"tulach",
"spectrum",
"cyber folks",
"tsara brashears",
".pl",
"contacted",
"kryptikxp",
"apple",
"ios",
"android",
"sabey",
"charter communications",
"denvecolorado",
"quantum fiber",
"air force",
"swipper",
"masquerade",
"hitmen",
"mitm",
"whitesky",
"cyber warfare",
"porn",
"pornhub.software"
],
"references": [
"DISTINCTIO8.pdf",
"FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set",
"Tofsee: 'google.com' | https://www.gov50.icu |",
"ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)",
"Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk",
"Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing",
"hubt.pornhub.com | www.pornhub.com | pornative.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/",
"www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/",
"Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da",
"IDS Detections: WGET Command Specifying Output in HTTP Headers",
"IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution",
"Yara Detections: is__elf , DemonBot",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout",
"FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c",
"IDS Detections: Andariel Backdoor Activity (Checkin)",
"Alerts: dead_host nids_malware_alert network_icmp nolookup_communication",
"DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2",
"IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
"IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST",
"IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy",
"http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/",
"https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com",
"apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com",
"autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com",
"* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit",
"https://tulach.cc/ | tulach.cc |",
"http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com",
"google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl",
"18teen.net | teensnow.com | grannies-porn.net | pornmd.com",
"www.pornhubselect.com | pornhub.software"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Chile",
"Morocco",
"Taiwan",
"Guatemala",
"United Kingdom of Great Britain and Northern Ireland",
"Ireland",
"Kenya",
"Peru",
"Singapore",
"Mexico",
"Brazil",
"Slovakia",
"Spain",
"Australia",
"Belgium",
"Germany",
"Hungary",
"Netherlands",
"Russian Federation",
"Japan",
"Poland"
],
"malware_families": [
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "TEL:CreateScheduledTask",
"display_name": "TEL:CreateScheduledTask",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee",
"display_name": "Backdoor:Win32/Tofsee",
"target": "/malware/Backdoor:Win32/Tofsee"
},
{
"id": "Ransom:Win32/Haperlock",
"display_name": "Ransom:Win32/Haperlock",
"target": "/malware/Ransom:Win32/Haperlock"
},
{
"id": "Trojan:Win32/Neurevt",
"display_name": "Trojan:Win32/Neurevt",
"target": "/malware/Trojan:Win32/Neurevt"
},
{
"id": "DDoS:Linux/Gafgyt.YA!MTB",
"display_name": "DDoS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-17215",
"display_name": "CVE-2017-17215",
"target": null
},
{
"id": "CVE-2023-27350",
"display_name": "CVE-2023-27350",
"target": null
},
{
"id": "CVE-2014-8361",
"display_name": "CVE-2014-8361",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "M1",
"display_name": "M1",
"target": null
},
{
"id": "OneLouder",
"display_name": "OneLouder",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Trojan.Sarwent-10012602-0",
"display_name": "Win.Trojan.Sarwent-10012602-0",
"target": null
},
{
"id": "Virus:Win32/Sivis.A",
"display_name": "Virus:Win32/Sivis.A",
"target": "/malware/Virus:Win32/Sivis.A"
},
{
"id": "Win.Trojan.Installcore-1177",
"display_name": "Win.Trojan.Installcore-1177",
"target": null
},
{
"id": "Win.Malware.Oxypumper-6900435-0",
"display_name": "Win.Malware.Oxypumper-6900435-0",
"target": null
},
{
"id": "Win.Malware.Qshell-9875653-0",
"display_name": "Win.Malware.Qshell-9875653-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "678f0dbdbc59dd2ea5656dcf",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 7589,
"FileHash-SHA1": 3982,
"FileHash-SHA256": 8280,
"URL": 441,
"domain": 2416,
"hostname": 2155,
"email": 37,
"CVE": 4,
"SSLCertFingerprint": 6
},
"indicator_count": 24910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d48d3b4900e932be011875",
"name": "Free Automated Malware Analysis Service - Falcon Sandbox -",
"description": "",
"modified": "2026-04-09T01:25:44.696000",
"created": "2026-04-07T04:51:07.162000",
"tags": [
"ip address",
"december",
"c2 server",
"famous chollima",
"hostwinds",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"threat level",
"ansi",
"date",
"pcap",
"pcap processing",
"report domain",
"report",
"sha256",
"filepath",
"runtime process",
"path",
"suspicious",
"hostile",
"hybrid",
"accept",
"close",
"click",
"hosts",
"malicious",
"general",
"local",
"factory",
"strings",
"contact",
"united",
"flag",
"germany germany",
"enom",
"gmt flag",
"server",
"name server",
"contacted hosts",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"prefetch8 ansi",
"show process",
"hash seen",
"ck id",
"win64",
"gecko",
"mitre att",
"comspec",
"april",
"refresh",
"model",
"mozi",
"window",
"dest"
],
"references": [
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02",
"https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6",
"https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 48,
"FileHash-SHA256": 84,
"domain": 72,
"URL": 112,
"FileHash-MD5": 94,
"FileHash-SHA1": 68,
"email": 2,
"hostname": 91,
"SSLCertFingerprint": 12
},
"indicator_count": 583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d48d3cfab80e8a75ef85c1",
"name": "Free Automated Malware Analysis Service - Falcon Sandbox -",
"description": "",
"modified": "2026-04-07T05:22:42.355000",
"created": "2026-04-07T04:51:08.017000",
"tags": [
"ip address",
"december",
"c2 server",
"famous chollima",
"hostwinds",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"threat level",
"ansi",
"date",
"pcap",
"pcap processing",
"report domain",
"report",
"sha256",
"filepath",
"runtime process",
"path",
"suspicious",
"hostile",
"hybrid",
"accept",
"close",
"click",
"hosts",
"malicious",
"general",
"local",
"factory",
"strings",
"contact",
"united",
"flag",
"germany germany",
"enom",
"gmt flag",
"server",
"name server",
"contacted hosts",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"prefetch8 ansi",
"show process",
"hash seen",
"ck id",
"win64",
"gecko",
"mitre att",
"comspec",
"april",
"refresh",
"model",
"mozi",
"window",
"dest"
],
"references": [
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02",
"https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6",
"https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 48,
"FileHash-SHA256": 84,
"domain": 72,
"URL": 113,
"FileHash-MD5": 94,
"FileHash-SHA1": 68,
"email": 2,
"hostname": 91,
"SSLCertFingerprint": 12
},
"indicator_count": 584,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d48d3b4cb631f407faf565",
"name": "Free Automated Malware Analysis Service - Falcon Sandbox -",
"description": "",
"modified": "2026-04-07T04:55:44.376000",
"created": "2026-04-07T04:51:07.591000",
"tags": [
"ip address",
"december",
"c2 server",
"famous chollima",
"hostwinds",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"threat level",
"ansi",
"date",
"pcap",
"pcap processing",
"report domain",
"report",
"sha256",
"filepath",
"runtime process",
"path",
"suspicious",
"hostile",
"hybrid",
"accept",
"close",
"click",
"hosts",
"malicious",
"general",
"local",
"factory",
"strings",
"contact",
"united",
"flag",
"germany germany",
"enom",
"gmt flag",
"server",
"name server",
"contacted hosts",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"prefetch8 ansi",
"show process",
"hash seen",
"ck id",
"win64",
"gecko",
"mitre att",
"comspec",
"april",
"refresh",
"model",
"mozi",
"window",
"dest"
],
"references": [
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe",
"https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02",
"https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6",
"https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 48,
"FileHash-SHA256": 84,
"domain": 72,
"URL": 112,
"FileHash-MD5": 94,
"FileHash-SHA1": 68,
"email": 2,
"hostname": 91,
"SSLCertFingerprint": 12
},
"indicator_count": 583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a77cfcac37b94cdafabb0d",
"name": "Outlook",
"description": "IOCS",
"modified": "2026-04-03T08:24:06.638000",
"created": "2026-03-04T00:29:48.657000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 712,
"domain": 759,
"hostname": 194,
"FileHash-SHA1": 148,
"email": 37,
"FileHash-SHA256": 437,
"FileHash-MD5": 118,
"CVE": 1
},
"indicator_count": 2406,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ce1c7b60a3065cc75b7e23",
"name": "Chance Encounter Clone CREDIT: UCP_GoA23 Public - same watering hole?",
"description": "",
"modified": "2026-04-02T07:42:49.581000",
"created": "2026-04-02T07:36:27.829000",
"tags": [
"raspberry pi",
"hdmi",
"hdmi mode",
"uncomment",
"additional",
"usb mass",
"pi02",
"pi zero",
"zero",
"enable drm",
"program",
"license",
"free software",
"foundation",
"general public",
"gnu general",
"public license",
"the program",
"copyright",
"sections",
"june",
"general",
"april",
"vice",
"drivers",
"analog",
"digital",
"video",
"bus support",
"media",
"accelerometers",
"capacitance",
"resolver",
"android",
"flash",
"monitoring",
"codec",
"loop",
"light",
"linear",
"tools",
"class",
"speakup",
"core support",
"legacy",
"kernel",
"this software",
"including",
"but not",
"limited to",
"ltd all",
"redistributions",
"disclaimer",
"is provided",
"damage",
"info",
"params",
"gpio",
"gpio pin",
"select",
"digital volume",
"load",
"gpios",
"compute module",
"spi bus",
"front",
"clock",
"speed",
"tiny",
"kali",
"oled",
"systemd",
"digi",
"miso",
"screen",
"show",
"global property",
"bootmenu",
"label",
"booting",
"please",
"javascript",
"entity",
"file list",
"size first",
"credits text",
"readme text",
"no meaningful",
"url list",
"status https",
"domain list",
"enom",
"registrar",
"ltd dba",
"com laude",
"ip address",
"ip adresses",
"U of A",
"GoA",
"Treaty 6",
"Treaty 7",
"Treaty 8",
"AHS"
],
"references": [
"cmdline.txt",
"config.txt",
"COPYING.linux",
"config-5.15.44-Re4son-v7+",
"config-5.15.44-Re4son-v7l+",
"config-5.15.44-Re4son-v8l+",
"config-5.15.44-Re4son+",
"config-5.15.44-Re4son-v8+",
"grub_background.sh",
"LICENCE.broadcom",
"README",
"theme.txt",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/details",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/relations",
"https://www.virustotal.com/gui/file/4b2f7e790d88a330808e6b2a81c8ea81268f69eb6c10ad4beccf2063158d0423/behavior",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e",
"https://www.virustotal.com/graph/embed/g24019548c37d405da58015e7220072ab73c17ac93ac14e538e1f4535dda6c615?theme=dark",
"https://www.virustotal.com/gui/collection/cd709a94571c706f4c86a2432508b5fa9e3618a4ba42f5773306208a431ae01e/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1050",
"name": "New Service",
"display_name": "T1050 - New Service"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1211",
"name": "Exploitation for Defense Evasion",
"display_name": "T1211 - Exploitation for Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications",
"Agriculture",
"Finance",
"Transportation"
],
"TLP": "white",
"cloned_from": "698f07428f6e35876e034e41",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 812,
"URL": 2492,
"hostname": 1171,
"FileHash-SHA256": 2057,
"CVE": 2,
"FileHash-MD5": 14,
"FileHash-SHA1": 16,
"email": 2,
"CIDR": 118
},
"indicator_count": 6684,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "18 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6989077aa8c925b423ef9354",
"name": "Hybrid Managed Service Actor / provisioned insider",
"description": "An artifact was observed on May 4, 2025, utilizing a document lure. Analysis of the artifact indicated a failed cryptographic validation. This activity occurred specifically within the 24-hour period preceding the May 5, 2025, Microsoft DMARC/DKIM/SPF enforcement.\nThis activity was followed by the execution of suspected malware payloads, leading to the unauthorized transfer of data. The observed data exfiltration endpoint was hasthe.technology.",
"modified": "2026-03-31T21:36:40.020000",
"created": "2026-02-08T22:00:24.065000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 414,
"FileHash-SHA256": 115,
"CVE": 91,
"hostname": 374,
"URL": 657,
"email": 19,
"JA3": 1,
"FileHash-MD5": 13,
"FileHash-SHA1": 13
},
"indicator_count": 1697,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 51,
"modified_text": "20 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6988faa4f668aeeed6f86da8",
"name": "zero trust",
"description": "researcher credit: msudoSOS : CLBCatQ.DLL\tThe malware is hijacking your COM+ Class Catalog to hide as a System Service.\nCoMarshalInterface\tYour identity is being \"packaged\" and sent via the LTE Trial to the '' Edge.\npid 2356 / 2812\tThese are the active processes currently communicating with the 49.12.22.106 C2 server.",
"modified": "2026-03-27T09:05:26.285000",
"created": "2026-02-08T21:05:37.829000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/C2Lop",
"display_name": "ALF:HeraklezEval:Trojan:Win32/C2Lop",
"target": null
},
{
"id": "#LowFi:HSTR:PyInstaller_Packaged_Script",
"display_name": "#LowFi:HSTR:PyInstaller_Packaged_Script",
"target": null
},
{
"id": "#Exploit:Win32/BlofeldsCat",
"display_name": "#Exploit:Win32/BlofeldsCat",
"target": "/malware/#Exploit:Win32/BlofeldsCat"
},
{
"id": "TEL:Exploit:HTML/PSWebkit",
"display_name": "TEL:Exploit:HTML/PSWebkit",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 394,
"hostname": 250,
"CVE": 112,
"URL": 190,
"email": 25,
"JA3": 1,
"FileHash-MD5": 191,
"FileHash-SHA1": 214,
"FileHash-SHA256": 607
},
"indicator_count": 1984,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 60,
"modified_text": "24 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "sharepoint.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "sharepoint.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776723317.4030902
}