{
  "type": "Domain",
  "indicator": "sify.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/sify.com",
    "alexa": "http://www.alexa.com/siteinfo/sify.com",
    "indicator": "sify.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "majestic",
        "message": "Whitelisted domain sify.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain sify.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 20685,
      "indicator": "sify.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 25,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc7a6778f84c179d27073",
          "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
          "description": "",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:31:34.221000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": "69efc567ae24b8285a71099d",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1039,
            "hostname": 868,
            "domain": 687,
            "URL": 2226,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 96,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5064,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc567ae24b8285a71099d",
          "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
          "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:21:59.824000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1037,
            "hostname": 865,
            "domain": 685,
            "URL": 2224,
            "FileHash-MD5": 131,
            "FileHash-SHA1": 94,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5051,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b92a27c47d4e28927364",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:26.110000",
          "created": "2026-03-12T13:01:30.067000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 72,
          "modified_text": "80 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b9295603a6100edfa8c8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:25.387000",
          "created": "2026-03-12T13:01:29.284000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "80 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927aa7f10e82639d204",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.872000",
          "created": "2026-03-12T13:01:27.872000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927c086397130c5d114",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.275000",
          "created": "2026-03-12T13:01:27.275000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b926871746ed8a1bc324",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:26.440000",
          "created": "2026-03-12T13:01:26.440000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b925e85c948d4dd608cc",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:25.852000",
          "created": "2026-03-12T13:01:25.852000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e974189d2c41f07ed8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:25.910000",
          "created": "2026-03-12T13:00:25.910000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e74d2b3effd55f88c3",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:23.173000",
          "created": "2026-03-12T13:00:23.173000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8dfbf8426a7a1d0146d",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:15.427000",
          "created": "2026-03-12T13:00:15.427000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d7123610591625b8fb",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:07.354000",
          "created": "2026-03-12T13:00:07.354000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d61e3f64a8f1f169b6",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:06.214000",
          "created": "2026-03-12T13:00:06.214000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d24eeb4200bdb1d702",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:02.096000",
          "created": "2026-03-12T13:00:02.096000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "694f0aa090aedc7e498b2e9a",
          "name": "Qakbot | *NEW  Malware found and analyzed \u2022 IRS",
          "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information.  Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.",
          "modified": "2026-01-25T21:03:27.507000",
          "created": "2025-12-26T22:22:24.480000",
          "tags": [
            "related tags",
            "none google",
            "win32",
            "united",
            "united states",
            "irs",
            "qakbot",
            "qbot",
            "inject",
            "keylogger",
            "botx",
            "active",
            "bot network",
            "et trojan",
            "hello ssl",
            "destination",
            "port",
            "unknown",
            "ciphersuite",
            "sessionid",
            "asnone",
            "write",
            "virustotal",
            "drweb",
            "vipre",
            "mcafee",
            "panda",
            "malware",
            "pandex!gen1",
            "et",
            "brazil as16625",
            "akamai",
            "united kingdom",
            "dynamicloader",
            "medium",
            "tls handshake",
            "failure",
            "yara rule",
            "high",
            "cape",
            "guard",
            "error",
            "delphi",
            "qakbot",
            "tlsv1",
            "entries",
            "iobit unikstall",
            "global",
            "read c",
            "rgba",
            "unicode",
            "memcommit",
            "delete",
            "msie",
            "windows nt",
            "next",
            "dock",
            "execution",
            "server header",
            "download",
            "suspicious",
            "specified",
            "logic",
            "web products",
            "present nov",
            "present dec",
            "present jun",
            "present oct",
            "present may",
            "aaaa",
            "next associated",
            "urls show",
            "scheme",
            "windir",
            "openurl c",
            "prefetch2",
            "analysis",
            "tor analysis",
            "dns requests",
            "domain address",
            "contacted hosts",
            "ip address",
            "ascii text",
            "pattern match",
            "href",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "beginstring",
            "show process",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "iframe",
            "click",
            "strings",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "learn",
            "command",
            "name tactics",
            "informative",
            "adversaries",
            "spawns",
            "defense evasion",
            "t1480 execution",
            "adult content",
            "lol fun hackers"
          ],
          "references": [
            "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
            "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE  Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
            "Pandex!gen1 Web Products",
            "Crypt3.BXVC IDS: Suspicious double Server Header",
            "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
            "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
            "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
            "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
            "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
            "Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
            "Crypt3.BXVC IDS: Abuseat.org Block Message",
            "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
            "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
            "Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
            "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
            "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
            "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Canada",
            "Brazil",
            "Ireland",
            "India",
            "Georgia",
            "Singapore",
            "Spain",
            "Japan"
          ],
          "malware_families": [
            {
              "id": "Inject2.BIVE",
              "display_name": "Inject2.BIVE",
              "target": null
            },
            {
              "id": "Win.Keylogger.Qbot-9987768-0",
              "display_name": "Win.Keylogger.Qbot-9987768-0",
              "target": null
            },
            {
              "id": "Win.Trojan.Qakbot-9988002-1",
              "display_name": "Win.Trojan.Qakbot-9988002-1",
              "target": null
            },
            {
              "id": "Win32:BotX-gen\\ [Trj]",
              "display_name": "Win32:BotX-gen\\ [Trj]",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Pandex!gen1",
              "display_name": "Pandex!gen1",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Web Products",
              "display_name": "Web Products",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            }
          ],
          "industries": [
            "Finance",
            "Government",
            "IRS"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 158,
            "URL": 140,
            "hostname": 287,
            "FileHash-SHA256": 85,
            "FileHash-MD5": 110,
            "FileHash-SHA1": 77,
            "SSLCertFingerprint": 8
          },
          "indicator_count": 865,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "125 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "687992eceac6f12e9cebd65f",
          "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
          "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
          "modified": "2025-12-28T19:04:27.449000",
          "created": "2025-07-18T00:18:50.968000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 375,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 7,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "privacynotacrime",
            "id": "349346",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 123,
          "modified_text": "153 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6854082f2edb40c1c80b0831",
          "name": "JSDdelivr blocklist",
          "description": "",
          "modified": "2025-06-19T14:28:09.610000",
          "created": "2025-06-19T12:53:03.734000",
          "tags": [],
          "references": [
            "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 18,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 5675,
            "hostname": 171
          },
          "indicator_count": 5846,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 183,
          "modified_text": "346 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66e5f78f4505e0f1ed2b169a",
          "name": "Crypt3.BXVC",
          "description": "",
          "modified": "2024-10-14T20:01:07.396000",
          "created": "2024-09-14T20:52:31.163000",
          "tags": [
            "asnone",
            "as15169",
            "as16417 cisco",
            "as26211",
            "as22843",
            "as36647 oath",
            "as3356 level",
            "as36646 oath",
            "telecom"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Georgia",
            "Canada",
            "Brazil",
            "Ireland",
            "India",
            "Singapore",
            "Spain",
            "Japan",
            "Belgium",
            "South Africa",
            "China",
            "Italy",
            "Aruba",
            "Germany",
            "Ukraine"
          ],
          "malware_families": [
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "WS.Reputation.1",
              "display_name": "WS.Reputation.1",
              "target": null
            },
            {
              "id": "Backdoor.Win32.Hlux.csf",
              "display_name": "Backdoor.Win32.Hlux.csf",
              "target": null
            },
            {
              "id": "Trojan.Downloader.JRJV",
              "display_name": "Trojan.Downloader.JRJV",
              "target": null
            },
            {
              "id": "Trojan.DownLoader12.20457",
              "display_name": "Trojan.DownLoader12.20457",
              "target": null
            },
            {
              "id": "TROJ_SPNV.01B615",
              "display_name": "TROJ_SPNV.01B615",
              "target": null
            },
            {
              "id": "Troj/HkMain-CC",
              "display_name": "Troj/HkMain-CC",
              "target": null
            },
            {
              "id": "Trojan/Win32.Ransom",
              "display_name": "Trojan/Win32.Ransom",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 100,
            "FileHash-SHA1": 100,
            "FileHash-SHA256": 175,
            "domain": 712,
            "hostname": 657,
            "URL": 1
          },
          "indicator_count": 1745,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 186,
          "modified_text": "593 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65c4b7b44b63ea6ea0c503d8",
          "name": "Sabey targeting | Gains access to premier Denver Recording Studio",
          "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.",
          "modified": "2024-03-09T10:04:19.572000",
          "created": "2024-02-08T11:15:00.329000",
          "tags": [
            "malware",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "report spam",
            "author",
            "cyber espionage",
            "studio created",
            "minutes ago",
            "white goldmax",
            "sibot",
            "goldfinder",
            "python",
            "indicator role",
            "title added",
            "active related",
            "pulses url",
            "entries",
            "url http",
            "pulses cve",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "analyze",
            "hostnames",
            "urls http",
            "sample",
            "urls https",
            "filehashsha1",
            "filehashmd5",
            "ipv4",
            "types of",
            "united kingdom",
            "united",
            "india",
            "china",
            "search",
            "pega type",
            "united states",
            "url https",
            "added active",
            "related pulses",
            "backdoor type",
            "discovery",
            "command",
            "all octoseek",
            "formbook",
            "goldmax",
            "ransomware",
            "njrat",
            "hacktool",
            "maui ransomware",
            "worm",
            "next",
            "type indicator",
            "role title",
            "go",
            "sabey",
            "tulach",
            "targeting tsara brashears",
            "utah",
            "whois record",
            "contacted",
            "ssl certificate",
            "referrer",
            "whois whois",
            "resolutions",
            "collections",
            "bundled",
            "execution",
            "lokibot",
            "tracer tool",
            "c2",
            "command and control",
            "sabey",
            "targeting",
            "hacking apple"
          ],
          "references": [
            "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)",
            "https://sabeydatacenters.com/",
            "sabeydatacenters.com",
            "4jslg.sabeydatacenters.com",
            "https://sabeydatacenters.com/",
            "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0",
            "https://tulach.cc/ |   [phishing | malware engineering]",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/  [ phishing | data collection | property theft | target]",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
            "nr-data.net  [Apple Private Data Collection]"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Sibot",
              "display_name": "Sibot",
              "target": null
            },
            {
              "id": "GoldFinder",
              "display_name": "GoldFinder",
              "target": null
            },
            {
              "id": "Go",
              "display_name": "Go",
              "target": null
            },
            {
              "id": "NjRAT",
              "display_name": "NjRAT",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Maui Ransomware",
              "display_name": "Maui Ransomware",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1043",
              "name": "Commonly Used Port",
              "display_name": "T1043 - Commonly Used Port"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1215",
              "name": "Kernel Modules and Extensions",
              "display_name": "T1215 - Kernel Modules and Extensions"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1491",
              "name": "Defacement",
              "display_name": "T1491 - Defacement"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Entertainment",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 24,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 422,
            "domain": 240,
            "hostname": 495,
            "CVE": 1,
            "FileHash-MD5": 75,
            "FileHash-SHA1": 73,
            "FileHash-SHA256": 843,
            "email": 2
          },
          "indicator_count": 2151,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "813 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568ab12429c394dc4b91ea",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go",
          "description": "",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-16T21:33:37.838000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6553b88c316cfb531b9c4c10",
          "export_count": 22,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6553b88c316cfb531b9c4c10",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com",
          "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-14T18:12:28.459000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 28,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 222,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bc6301b7cdf7d04e095",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:44:54.422000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568d67bd96e06ab44b9b95",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-16T21:45:11.721000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65536bdc3676a40633a619be",
          "export_count": 25,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bdc3676a40633a619be",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:45:16.667000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 35,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
        "https://tulach.cc/ |   [phishing | malware engineering]",
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "sabeydatacenters.com",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "nr-data.net  [Apple Private Data Collection]",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
        "bell.ca",
        "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
        "Pandex!gen1 Web Products",
        "https://applemusic-spotlight.myunidays.com/US/en-US?",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt",
        "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)",
        "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/  [ phishing | data collection | property theft | target]",
        "Crypt3.BXVC IDS: Abuseat.org Block Message",
        "http://mobile.suddenlink2go.com/",
        "home.toshiba.com",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
        "myhughesnet.com",
        "https://www.everycloudtech.com/free-mail-flow-monitor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "dishmail.net",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Crypt3.BXVC IDS: Suspicious double Server Header",
        "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
        "monitor.cablelan.net",
        "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE  Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
        "https://sabeydatacenters.com/",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
        "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
        "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "ytq2rs56.haogfw.com",
        "Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
        "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
        "https://monitor.rodgersmith.com",
        "4jslg.sabeydatacenters.com",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af",
        "Backdoor.Win32.Pushdo.s Checkin",
        "pornhub.com",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others"
          ],
          "malware_families": [
            "#lowfi:hstr:win32/mediadownloader",
            "Ws.reputation.1",
            "Win.trojan.pushdo-20",
            "Trojandownloader:linux/mirai",
            "#lowfi:exploit:java/cve-2012-0507",
            "World media",
            "Win32:botx-gen\\ [trj]",
            "Et",
            "Starfighter (javascript)",
            "Pegasus for android - mob-s0032",
            "Crypt3.bxvc",
            "Pegasus rdp module for windows",
            "#lowfi:siga:trojandownloader:msil/genmaldow",
            "Pegasus for ios - s0289",
            "Alf:backdoor:powershell/reverseshell",
            "Troj/hkmain-cc",
            "Goldfinder",
            "Html smuggling",
            "#hstr:hacktool:win32/remoteshell",
            "Web products",
            "Trojan.downloader.jrjv",
            "#lowfitrojan:html/iframe",
            "Maui ransomware",
            "Skynet",
            "Alf:backdoor:java/webshell",
            "Xloader for ios - s0490",
            "Sibot",
            "Win.keylogger.qbot-9987768-0",
            "Tulach",
            "Backdoor.win32.hlux.csf",
            "Graphite (pegasus variant)",
            "Go",
            "Pegasus for mac",
            "Zeroaccess - s0027",
            "Mirai (windows)",
            "Pandex!gen1",
            "Troj_spnv.01b615",
            "Njrat",
            "Backdoor:linux/mirai",
            "Trojanspy",
            "Trojandownloader:win32/cutwail.bv",
            "Cve-2022-26134",
            "Win.trojan.qakbot-9988002-1",
            "Hacktool",
            "Sabey",
            "Alf:html/phishing",
            "Trojan:js/berbew",
            "Inject2.bive",
            "Trojandownloader:win32/cutwail.bs",
            "Trojan.downloader12.20457",
            "Trojan/win32.ransom",
            "Careto",
            "Maltiverse",
            "Roblox",
            "Slf:msil/pstanomaly.a",
            "Paragon (pegasus variant)",
            "Ransomware"
          ],
          "industries": [
            "Judicial",
            "People",
            "Technology",
            "Civilians",
            "Telecommunications",
            "Finance",
            "Government",
            "Irs",
            "Entertainment",
            "Legal",
            "Civil"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 25,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc7a6778f84c179d27073",
      "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
      "description": "",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:31:34.221000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": "69efc567ae24b8285a71099d",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1039,
        "hostname": 868,
        "domain": 687,
        "URL": 2226,
        "FileHash-MD5": 133,
        "FileHash-SHA1": 96,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5064,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc567ae24b8285a71099d",
      "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
      "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:21:59.824000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1037,
        "hostname": 865,
        "domain": 685,
        "URL": 2224,
        "FileHash-MD5": 131,
        "FileHash-SHA1": 94,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5051,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b92a27c47d4e28927364",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:26.110000",
      "created": "2026-03-12T13:01:30.067000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 72,
      "modified_text": "80 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b9295603a6100edfa8c8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:25.387000",
      "created": "2026-03-12T13:01:29.284000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "80 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927aa7f10e82639d204",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.872000",
      "created": "2026-03-12T13:01:27.872000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "80 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927c086397130c5d114",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.275000",
      "created": "2026-03-12T13:01:27.275000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "80 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b926871746ed8a1bc324",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:26.440000",
      "created": "2026-03-12T13:01:26.440000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "80 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b925e85c948d4dd608cc",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:25.852000",
      "created": "2026-03-12T13:01:25.852000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "80 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b8e974189d2c41f07ed8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:00:25.910000",
      "created": "2026-03-12T13:00:25.910000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "80 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "sify.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "sify.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780249098.9999385
}