{
  "type": "Domain",
  "indicator": "sprintmail.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/sprintmail.com",
    "alexa": "http://www.alexa.com/siteinfo/sprintmail.com",
    "indicator": "sprintmail.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 2896505099,
      "indicator": "sprintmail.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 7,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc567ae24b8285a71099d",
          "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
          "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:21:59.824000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1037,
            "hostname": 865,
            "domain": 685,
            "URL": 2224,
            "FileHash-MD5": 131,
            "FileHash-SHA1": 94,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5051,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "4 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc7a6778f84c179d27073",
          "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
          "description": "",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:31:34.221000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": "69efc567ae24b8285a71099d",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1039,
            "hostname": 868,
            "domain": 687,
            "URL": 2226,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 96,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5064,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "4 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6992bae83a5988dff8311490",
          "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
          "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
          "modified": "2026-04-24T13:20:48.450000",
          "created": "2026-02-16T06:36:24.788000",
          "tags": [
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
            "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
            "#PotentialUS-Origin_FalseFlag_Obfuscation"
          ],
          "references": [
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
            "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
            "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
            "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
            "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
            "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
            "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
            "",
            "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
            "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
            "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
            "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
            "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
            "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
            "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
            "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
            "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
            "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
            "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
            "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
          ],
          "public": 1,
          "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Malware Family: StealthWorker / GoBrut",
              "display_name": "Malware Family: StealthWorker / GoBrut",
              "target": "/malware/Malware Family: StealthWorker / GoBrut"
            },
            {
              "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 2166,
            "FileHash-SHA1": 2067,
            "FileHash-SHA256": 3371,
            "domain": 13295,
            "URL": 6860,
            "email": 272,
            "hostname": 4705,
            "SSLCertFingerprint": 268,
            "CVE": 108,
            "CIDR": 6
          },
          "indicator_count": 33118,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 82,
          "modified_text": "37 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "691e2279ac1ef8b9dbfbc2b3",
          "name": "Mirai \u2022 Neurotox Institute",
          "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]",
          "modified": "2025-12-19T19:00:18.927000",
          "created": "2025-11-19T20:03:05.195000",
          "tags": [
            "united",
            "link",
            "virtool",
            "meta",
            "atom",
            "pragma",
            "dynamicloader",
            "msie",
            "windows nt",
            "tls handshake",
            "failure",
            "tlsv1",
            "forbidden",
            "ogoogle trust",
            "encrypt",
            "possible",
            "write",
            "malware",
            "consumed",
            "netherlands",
            "united kingdom",
            "read c",
            "sality",
            "delphi",
            "win32",
            "strings",
            "xserver",
            "post http",
            "post method",
            "cryptexportkey",
            "ocloudflare",
            "cryptgenkey",
            "calgrc4",
            "persistence",
            "execution",
            "div div",
            "script script",
            "span a",
            "a li",
            "unknown ns",
            "span",
            "april",
            "passive dns",
            "hosting",
            "reverse dns",
            "hostname add",
            "files ip",
            "asn as32475",
            "address domain",
            "mirai",
            "united states",
            "facebook",
            "twitter",
            "youtube",
            "ck ids",
            "mh may",
            "t1204 technique",
            "user execution",
            "suggested",
            "port",
            "destination",
            "telnet login",
            "high",
            "tcp syn",
            "infectednight",
            "resolverror",
            "suspicious path",
            "ids detections",
            "yara detections",
            "sinkhole cookie",
            "file score",
            "detections sf",
            "value snkz",
            "forbidden tls",
            "et trojan",
            "value",
            "et info",
            "et",
            "present oct",
            "domain",
            "title",
            "present sep",
            "moved",
            "server",
            "next associated",
            "ipv4 add",
            "urls",
            "files",
            "trojan",
            "cookie",
            "predict70 sep",
            "next http",
            "scans record",
            "forbidden date",
            "gmt content",
            "type",
            "unix",
            "namecheap url",
            "forward elf",
            "md5 add",
            "less see",
            "contacted",
            "pulse pulses",
            "av detections",
            "analysis date",
            "virus",
            "ee fc",
            "unknown",
            "yara rule",
            "ff d5",
            "search",
            "show",
            "suspicious",
            "fbq object",
            "ide value",
            "source level",
            "url text",
            "line",
            "allow attribute",
            "mootools",
            "class function",
            "chain",
            "options",
            "elements",
            "garbage",
            "drag",
            "xhr function",
            "ajax",
            "itemid14",
            "kb image",
            "kb script",
            "b image",
            "b stylesheet",
            "b script",
            "kb stylesheet",
            "stylesheet",
            "redirect chain",
            "path size",
            "type mimetype",
            "resource",
            "general full",
            "montreal",
            "canada",
            "asn16276",
            "debian",
            "url http",
            "hash",
            "main",
            "cookie object",
            "dns any",
            "date",
            "entries",
            "url https",
            "Foundry",
            "Lazarus",
            "Endgame",
            "Neurotoxin Institute",
            "Hall Render",
            "Brian Sabey",
            "UC Health",
            "Britney Spears Official"
          ],
          "references": [
            "https://www.neurotoxininstitute.com/",
            "Backdoor.Win32.Pushdo.s Checkin",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks",
            "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure",
            "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole",
            "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward",
            "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed",
            "http://appelfarm.org",
            "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52",
            "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52",
            "IDS Signatures :  SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206",
            "Interesting Strings : 13.79.87.163",
            "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png",
            "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5",
            "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa",
            "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8",
            "https://britneyspears.com/",
            "hallrender.com \u2022  https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com",
            "https://citrix.hallrender.com/vpn/install/ \u2022  https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
            "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/",
            "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC",
            "https://elite.hallrender.com \u2022  https://hallrender.com/attorney/gregg-m-wallander/",
            "brian-sabey-anyxxxtube.net \u2022 hallrender.com",
            "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com",
            "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14",
            "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/"
          ],
          "public": 1,
          "adversary": "Lazarus",
          "targeted_countries": [
            "United States of America",
            "Japan",
            "France",
            "Germany",
            "Canada",
            "Netherlands",
            "United Kingdom of Great Britain and Northern Ireland",
            "New Zealand",
            "Italy",
            "Aruba",
            "Poland",
            "Singapore",
            "T\u00fcrkiye",
            "Indonesia",
            "Spain",
            "Hong Kong"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Netherlands",
              "display_name": "Netherlands",
              "target": null
            },
            {
              "id": "Sality",
              "display_name": "Sality",
              "target": null
            },
            {
              "id": "Virus:Win32/Krepper.30760",
              "display_name": "Virus:Win32/Krepper.30760",
              "target": "/malware/Virus:Win32/Krepper.30760"
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
              "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
              "target": null
            },
            {
              "id": "Suggested",
              "display_name": "Suggested",
              "target": null
            },
            {
              "id": "VirTool:Win32/VBInject.gen!MH",
              "display_name": "VirTool:Win32/VBInject.gen!MH",
              "target": "/malware/VirTool:Win32/VBInject.gen!MH"
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Softcnapp",
              "display_name": "Softcnapp",
              "target": null
            },
            {
              "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
              "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
              "target": null
            },
            {
              "id": "Win32:Zbot-RUV",
              "display_name": "Win32:Zbot-RUV",
              "target": null
            },
            {
              "id": "Win32:Evo-gen",
              "display_name": "Win32:Evo-gen",
              "target": null
            },
            {
              "id": "Win32:Kryptik",
              "display_name": "Win32:Kryptik",
              "target": null
            },
            {
              "id": "Trojan:Win32/Bulta",
              "display_name": "Trojan:Win32/Bulta",
              "target": "/malware/Trojan:Win32/Bulta"
            }
          ],
          "attack_ids": [
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 511,
            "hostname": 198,
            "domain": 471,
            "FileHash-SHA256": 1442,
            "FileHash-MD5": 183,
            "FileHash-SHA1": 79,
            "email": 5,
            "SSLCertFingerprint": 63
          },
          "indicator_count": 2952,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 148,
          "modified_text": "163 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66f100d791f9f9f6ab7b4f24",
          "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
          "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
          "modified": "2024-10-23T05:03:21.045000",
          "created": "2024-09-23T05:47:03.625000",
          "tags": [
            "isp charter",
            "usage type",
            "fixed line",
            "isp hostname",
            "domain name",
            "country united",
            "america city",
            "denver",
            "colorado",
            "ip address",
            "whois",
            "check",
            "information isp",
            "inc usage",
            "type fixed",
            "line isp",
            "hostname",
            "plesk forum",
            "centos web",
            "panel forum",
            "whois lookup",
            "netrange",
            "nethandle",
            "net107",
            "net1070000",
            "cc3517",
            "inc orgid",
            "dr city",
            "stateprov",
            "postalcode",
            "status",
            "as7843 charter",
            "united",
            "name servers",
            "passive dns",
            "urls",
            "domain",
            "search",
            "emails",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "files",
            "reverse dns",
            "location united",
            "win32",
            "abuseipdb",
            "read",
            "write",
            "read c",
            "server header",
            "show",
            "suspicious",
            "kelihos",
            "trojan",
            "artemis",
            "virustotal",
            "download",
            "drweb",
            "vipre",
            "panda",
            "malware",
            "specified",
            "next",
            "et trojan",
            "et info",
            "medium",
            "http",
            "ids detections",
            "yara detections",
            "e98c1cec8156",
            "as11426 charter",
            "as20001 charter",
            "as11427 charter",
            "as11351 charter",
            "as16787 charter",
            "as33363 charter",
            "as20115 charter",
            "as10796 charter",
            "as12271 charter",
            "body",
            "servers",
            "all search",
            "entries",
            "intel",
            "ms windows",
            "windows nt",
            "destination",
            "port",
            "asnone",
            "heurunsec",
            "etpro trojan",
            "nxdomain",
            "a nxdomain",
            "aaaa",
            "asnone united",
            "aaaa nxdomain",
            "backdoor",
            "pulse submit",
            "url analysis",
            "location oxford",
            "as3456 charter",
            "moved",
            "showing",
            "body doctype",
            "html public",
            "ietfdtd html",
            "as6976 verizon",
            "as701 verizon",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "levelblue",
            "related pulses",
            "pulse pulses",
            "kryptikpii",
            "msr apr",
            "date",
            "creation date",
            "analyzer paste",
            "iocs",
            "samples",
            "secure server",
            "cname",
            "as5742",
            "body head",
            "object moved",
            "content length",
            "content type",
            "cookie",
            "as15133 verizon",
            "lowfi",
            "gmt server",
            "ecacc",
            "record value",
            "oxford",
            "michigan",
            "ns nxdomain",
            "soa nxdomain",
            "url http",
            "mitre att",
            "evasion ta0005",
            "creates",
            "discovery t1082",
            "reads software",
            "file",
            "t1083 reads",
            "jujubox",
            "zenbox",
            "get http",
            "request",
            "host",
            "win64",
            "khtml",
            "gecko",
            "response",
            "cus cndigicert",
            "tls rsa",
            "user",
            "javascript c",
            "doscom c",
            "text c",
            "files c",
            "storage",
            "file system",
            "filesadobe c",
            "appdata",
            "appdatalocal",
            "hostnames",
            "ta0002 command",
            "t1059 very",
            "t1064",
            "javascript",
            "modules t1129",
            "ta0003 create",
            "modify system",
            "process t1543",
            "windows service",
            "cisco umbrella",
            "blacklist",
            "safe site",
            "filerepmalware",
            "microsoft",
            "phishing bank",
            "sgeneric",
            "malware site",
            "unsafe",
            "number",
            "cus cngts",
            "ogoogle trust",
            "subject",
            "algorithm",
            "cus ouserver",
            "ouserver ca",
            "record type",
            "ttl value",
            "msms86718722",
            "query",
            "open",
            "capa",
            "create process",
            "windows create",
            "delete file",
            "write file",
            "windows check",
            "os version",
            "enumerate",
            "hashes",
            "signals mutexes",
            "mutexes",
            "open threat",
            "location los",
            "emails info",
            "expiration date",
            "write c",
            "process32nextw",
            "regsetvalueexa",
            "regdword",
            "module load",
            "t1129",
            "as51167 contabo",
            "germany unknown",
            "as40021 contabo",
            "encrypt",
            "hosting",
            "netherlands asn",
            "as204601 zomro",
            "pulses",
            "tags",
            "related tags",
            "indicator facts",
            "historical otx",
            "files ip",
            "asnone germany",
            "as174 cogent",
            "czechia unknown",
            "whitelisted",
            "certificate",
            "bittorrent dht",
            "post http",
            "et p2p",
            "cryptexportkey",
            "invalid pointer",
            "delete c",
            "post utcore",
            "benchhttp",
            "mozilla",
            "maldoc",
            "service",
            "tools",
            "nids",
            "et",
            "x95xd3xa4",
            "regbinary",
            "hx88x89",
            "kx82xd3x11",
            "xb9x8b",
            "x8dxb7xb7",
            "hx88x9ax1e",
            "mx81xd1r",
            "x92xac",
            "stream",
            "persistence",
            "execution",
            "dynamicloader",
            "contacted",
            "domains",
            "yara rule",
            "high",
            "dynamic",
            "pcap",
            "pushdo",
            "msie",
            "activity beacon",
            "malware beacon",
            "default",
            "redacted for",
            "for privacy",
            "as3379 kaiser",
            "server",
            "gmt content",
            "type",
            "x frame",
            "entries http",
            "scans show",
            "domain related",
            "no data",
            "tag count",
            "fakedout threat",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "detection list",
            "components",
            "zune",
            "etpro",
            "nod32",
            "avast avg",
            "next http",
            "example domain",
            "title meta",
            "invalid url",
            "akamai",
            "urls http",
            "as20940",
            "as16625 akamai",
            "netherlands",
            "germany",
            "france",
            "virtool",
            "rock",
            "address",
            "apache",
            "accept",
            "as8075",
            "pulse http",
            "related nids",
            "files location",
            "moldova related",
            "pulses none",
            "as31898 oracle",
            "title",
            "kryptiklfq",
            "win32dh",
            "vitro",
            "shutdown",
            "erase",
            "find",
            "close",
            "as53418",
            "hat server",
            "as797 att",
            "script urls",
            "a domains",
            "as10753 level",
            "script script",
            "meta",
            "path",
            "null",
            "stop",
            "as54113",
            "chrome",
            "as7018 att",
            "as28521",
            "mexico unknown",
            "fastly error",
            "please",
            "sea p",
            "object",
            "set cookie",
            "pragma",
            "as19536 directv",
            "united kingdom",
            "as60664 xion",
            "trojan features",
            "moldova unknown",
            "susp",
            "breaking news",
            "business",
            "finance",
            "entertainment",
            "sports",
            "games",
            "trending videos",
            "weather",
            "home",
            "as396982 google",
            "url https",
            "type indicator",
            "role title",
            "added active",
            "cyberfolks",
            ".pl",
            "level 3"
          ],
          "references": [
            "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
            "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
            "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
            "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
            "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
            "IDS Detections: Suspicious double Server Header Possible Kelihos",
            "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
            "telemetry-incoming.r53-2.services.mozilla.com",
            "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
            "http://www.door.net/ARISBE/arisbe.htm",
            "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
            "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Hungary",
            "Ukraine",
            "Spain",
            "Brazil",
            "Russian Federation",
            "Moldova, Republic of",
            "Japan",
            "Ireland",
            "Luxembourg",
            "Canada"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Cerber Ransomware",
              "display_name": "Cerber Ransomware",
              "target": null
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Inject3.QGY",
              "display_name": "Inject3.QGY",
              "target": null
            },
            {
              "id": "Kelihos",
              "display_name": "Kelihos",
              "target": null
            },
            {
              "id": "ETPRO",
              "display_name": "ETPRO",
              "target": null
            },
            {
              "id": "NOD32",
              "display_name": "NOD32",
              "target": null
            },
            {
              "id": "VirTool:Win32/Obfuscator",
              "display_name": "VirTool:Win32/Obfuscator",
              "target": "/malware/VirTool:Win32/Obfuscator"
            },
            {
              "id": "Sf:ShellCode-AU\\ [Trj]",
              "display_name": "Sf:ShellCode-AU\\ [Trj]",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba",
              "display_name": "Trojan:Win32/Glupteba",
              "target": "/malware/Trojan:Win32/Glupteba"
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2060,
            "hostname": 3067,
            "CIDR": 4,
            "URL": 1300,
            "email": 29,
            "FileHash-MD5": 3181,
            "FileHash-SHA1": 1994,
            "FileHash-SHA256": 3228,
            "CVE": 2,
            "SSLCertFingerprint": 1
          },
          "indicator_count": 14866,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "585 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64c3af07b73d51dc4bb9efbc",
          "name": "Phrishing and MiSL, at odomou.com",
          "description": "Lots of communicating files, mostly misl amd phishing but also a few other random baddiez.",
          "modified": "2023-09-10T13:02:26.487000",
          "created": "2023-07-28T12:05:27.845000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Hell-On-A-Stick",
            "id": "186907",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 489,
            "FileHash-MD5": 135,
            "FileHash-SHA1": 129,
            "URL": 316,
            "domain": 341,
            "hostname": 219,
            "CVE": 1
          },
          "indicator_count": 1630,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 51,
          "modified_text": "994 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
        "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE",
        "https://britneyspears.com/",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
        "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.",
        "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "brian-sabey-anyxxxtube.net \u2022 hallrender.com",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "hallrender.com \u2022  https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com",
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52",
        "IDS Signatures :  SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206",
        "https://www.neurotoxininstitute.com/",
        "https://elite.hallrender.com \u2022  https://hallrender.com/attorney/gregg-m-wallander/",
        "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure",
        "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
        "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
        "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5",
        "T1110.001 (Brute Force: Password Guessing)",
        "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
        "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
        "http://www.door.net/ARISBE/arisbe.htm",
        "Backdoor.Win32.Pushdo.s Checkin",
        "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
        "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
        "Obfuscation: XOR-based String Encryption (0x20)",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "http://appelfarm.org",
        "bell.ca",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com",
        "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/",
        "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/",
        "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
        "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14",
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
        "Interesting Strings : 13.79.87.163",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "https://citrix.hallrender.com/vpn/install/ \u2022  https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization."
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Lazarus",
            "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s"
          ],
          "malware_families": [
            "Win32:kryptik",
            "Kelihos",
            "Inject3.qgy",
            "Netherlands",
            "Et",
            "Nod32",
            "Suggested",
            "Trojandownloader:win32/cutwail.bv",
            "Nids",
            "Sf:shellcode-au\\ [trj]",
            "Trojan:win32/bulta",
            "World media",
            "Mirai",
            "Cerber ransomware",
            "Backdoor:win32/tofsee",
            "Etpro",
            "Slf:msil/pstanomaly.a",
            "Softcnapp",
            "Trojandownloader:win32/cutwail",
            "Virus:win32/krepper.30760",
            "Sality",
            "Trojan:win32/glupteba",
            "Cve-2022-26134",
            "Alf:heraklezeval:backdoor:linux/mirai.a!rf",
            "Malware family: stealthworker / gobrut",
            "Virtool:win32/obfuscator",
            "Win32:zbot-ruv",
            "Alf:rpf:peattr_sigattr:predict:70",
            "Win32:evo-gen",
            "Virtool:win32/vbinject.gen!mh",
            "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf",
            "Win.trojan.pushdo-20",
            "Trojandownloader:win32/cutwail.bs"
          ],
          "industries": [
            "Judicial",
            "Telecommunications",
            "Government",
            "Legal",
            "Technology"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 7,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc567ae24b8285a71099d",
      "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
      "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:21:59.824000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1037,
        "hostname": 865,
        "domain": 685,
        "URL": 2224,
        "FileHash-MD5": 131,
        "FileHash-SHA1": 94,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5051,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "4 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc7a6778f84c179d27073",
      "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
      "description": "",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:31:34.221000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": "69efc567ae24b8285a71099d",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1039,
        "hostname": 868,
        "domain": 687,
        "URL": 2226,
        "FileHash-MD5": 133,
        "FileHash-SHA1": 96,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5064,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "4 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6992bae83a5988dff8311490",
      "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
      "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
      "modified": "2026-04-24T13:20:48.450000",
      "created": "2026-02-16T06:36:24.788000",
      "tags": [
        "Obfuscation: XOR-based String Encryption (0x20)",
        "T1110.001 (Brute Force: Password Guessing)",
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
        "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
        "#PotentialUS-Origin_FalseFlag_Obfuscation"
      ],
      "references": [
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
        "Obfuscation: XOR-based String Encryption (0x20)",
        "T1110.001 (Brute Force: Password Guessing)",
        "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
        "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
        "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
        "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
        "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
        "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
        "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
        "",
        "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
        "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
        "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
        "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
        "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
        "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
        "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
        "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
        "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
        "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
        "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
        "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
      ],
      "public": 1,
      "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Malware Family: StealthWorker / GoBrut",
          "display_name": "Malware Family: StealthWorker / GoBrut",
          "target": "/malware/Malware Family: StealthWorker / GoBrut"
        },
        {
          "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
          "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 2166,
        "FileHash-SHA1": 2067,
        "FileHash-SHA256": 3371,
        "domain": 13295,
        "URL": 6860,
        "email": 272,
        "hostname": 4705,
        "SSLCertFingerprint": 268,
        "CVE": 108,
        "CIDR": 6
      },
      "indicator_count": 33118,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 82,
      "modified_text": "37 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "691e2279ac1ef8b9dbfbc2b3",
      "name": "Mirai \u2022 Neurotox Institute",
      "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]",
      "modified": "2025-12-19T19:00:18.927000",
      "created": "2025-11-19T20:03:05.195000",
      "tags": [
        "united",
        "link",
        "virtool",
        "meta",
        "atom",
        "pragma",
        "dynamicloader",
        "msie",
        "windows nt",
        "tls handshake",
        "failure",
        "tlsv1",
        "forbidden",
        "ogoogle trust",
        "encrypt",
        "possible",
        "write",
        "malware",
        "consumed",
        "netherlands",
        "united kingdom",
        "read c",
        "sality",
        "delphi",
        "win32",
        "strings",
        "xserver",
        "post http",
        "post method",
        "cryptexportkey",
        "ocloudflare",
        "cryptgenkey",
        "calgrc4",
        "persistence",
        "execution",
        "div div",
        "script script",
        "span a",
        "a li",
        "unknown ns",
        "span",
        "april",
        "passive dns",
        "hosting",
        "reverse dns",
        "hostname add",
        "files ip",
        "asn as32475",
        "address domain",
        "mirai",
        "united states",
        "facebook",
        "twitter",
        "youtube",
        "ck ids",
        "mh may",
        "t1204 technique",
        "user execution",
        "suggested",
        "port",
        "destination",
        "telnet login",
        "high",
        "tcp syn",
        "infectednight",
        "resolverror",
        "suspicious path",
        "ids detections",
        "yara detections",
        "sinkhole cookie",
        "file score",
        "detections sf",
        "value snkz",
        "forbidden tls",
        "et trojan",
        "value",
        "et info",
        "et",
        "present oct",
        "domain",
        "title",
        "present sep",
        "moved",
        "server",
        "next associated",
        "ipv4 add",
        "urls",
        "files",
        "trojan",
        "cookie",
        "predict70 sep",
        "next http",
        "scans record",
        "forbidden date",
        "gmt content",
        "type",
        "unix",
        "namecheap url",
        "forward elf",
        "md5 add",
        "less see",
        "contacted",
        "pulse pulses",
        "av detections",
        "analysis date",
        "virus",
        "ee fc",
        "unknown",
        "yara rule",
        "ff d5",
        "search",
        "show",
        "suspicious",
        "fbq object",
        "ide value",
        "source level",
        "url text",
        "line",
        "allow attribute",
        "mootools",
        "class function",
        "chain",
        "options",
        "elements",
        "garbage",
        "drag",
        "xhr function",
        "ajax",
        "itemid14",
        "kb image",
        "kb script",
        "b image",
        "b stylesheet",
        "b script",
        "kb stylesheet",
        "stylesheet",
        "redirect chain",
        "path size",
        "type mimetype",
        "resource",
        "general full",
        "montreal",
        "canada",
        "asn16276",
        "debian",
        "url http",
        "hash",
        "main",
        "cookie object",
        "dns any",
        "date",
        "entries",
        "url https",
        "Foundry",
        "Lazarus",
        "Endgame",
        "Neurotoxin Institute",
        "Hall Render",
        "Brian Sabey",
        "UC Health",
        "Britney Spears Official"
      ],
      "references": [
        "https://www.neurotoxininstitute.com/",
        "Backdoor.Win32.Pushdo.s Checkin",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks",
        "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure",
        "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole",
        "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward",
        "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed",
        "http://appelfarm.org",
        "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52",
        "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52",
        "IDS Signatures :  SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206",
        "Interesting Strings : 13.79.87.163",
        "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png",
        "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5",
        "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa",
        "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8",
        "https://britneyspears.com/",
        "hallrender.com \u2022  https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com",
        "https://citrix.hallrender.com/vpn/install/ \u2022  https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
        "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/",
        "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC",
        "https://elite.hallrender.com \u2022  https://hallrender.com/attorney/gregg-m-wallander/",
        "brian-sabey-anyxxxtube.net \u2022 hallrender.com",
        "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com",
        "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14",
        "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/"
      ],
      "public": 1,
      "adversary": "Lazarus",
      "targeted_countries": [
        "United States of America",
        "Japan",
        "France",
        "Germany",
        "Canada",
        "Netherlands",
        "United Kingdom of Great Britain and Northern Ireland",
        "New Zealand",
        "Italy",
        "Aruba",
        "Poland",
        "Singapore",
        "T\u00fcrkiye",
        "Indonesia",
        "Spain",
        "Hong Kong"
      ],
      "malware_families": [
        {
          "id": "TrojanDownloader:Win32/Cutwail",
          "display_name": "TrojanDownloader:Win32/Cutwail",
          "target": "/malware/TrojanDownloader:Win32/Cutwail"
        },
        {
          "id": "Netherlands",
          "display_name": "Netherlands",
          "target": null
        },
        {
          "id": "Sality",
          "display_name": "Sality",
          "target": null
        },
        {
          "id": "Virus:Win32/Krepper.30760",
          "display_name": "Virus:Win32/Krepper.30760",
          "target": "/malware/Virus:Win32/Krepper.30760"
        },
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
          "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
          "target": null
        },
        {
          "id": "Suggested",
          "display_name": "Suggested",
          "target": null
        },
        {
          "id": "VirTool:Win32/VBInject.gen!MH",
          "display_name": "VirTool:Win32/VBInject.gen!MH",
          "target": "/malware/VirTool:Win32/VBInject.gen!MH"
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Softcnapp",
          "display_name": "Softcnapp",
          "target": null
        },
        {
          "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
          "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
          "target": null
        },
        {
          "id": "Win32:Zbot-RUV",
          "display_name": "Win32:Zbot-RUV",
          "target": null
        },
        {
          "id": "Win32:Evo-gen",
          "display_name": "Win32:Evo-gen",
          "target": null
        },
        {
          "id": "Win32:Kryptik",
          "display_name": "Win32:Kryptik",
          "target": null
        },
        {
          "id": "Trojan:Win32/Bulta",
          "display_name": "Trojan:Win32/Bulta",
          "target": "/malware/Trojan:Win32/Bulta"
        }
      ],
      "attack_ids": [
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 10,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 511,
        "hostname": 198,
        "domain": 471,
        "FileHash-SHA256": 1442,
        "FileHash-MD5": 183,
        "FileHash-SHA1": 79,
        "email": 5,
        "SSLCertFingerprint": 63
      },
      "indicator_count": 2952,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 148,
      "modified_text": "163 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66f100d791f9f9f6ab7b4f24",
      "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
      "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
      "modified": "2024-10-23T05:03:21.045000",
      "created": "2024-09-23T05:47:03.625000",
      "tags": [
        "isp charter",
        "usage type",
        "fixed line",
        "isp hostname",
        "domain name",
        "country united",
        "america city",
        "denver",
        "colorado",
        "ip address",
        "whois",
        "check",
        "information isp",
        "inc usage",
        "type fixed",
        "line isp",
        "hostname",
        "plesk forum",
        "centos web",
        "panel forum",
        "whois lookup",
        "netrange",
        "nethandle",
        "net107",
        "net1070000",
        "cc3517",
        "inc orgid",
        "dr city",
        "stateprov",
        "postalcode",
        "status",
        "as7843 charter",
        "united",
        "name servers",
        "passive dns",
        "urls",
        "domain",
        "search",
        "emails",
        "unknown",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "files",
        "reverse dns",
        "location united",
        "win32",
        "abuseipdb",
        "read",
        "write",
        "read c",
        "server header",
        "show",
        "suspicious",
        "kelihos",
        "trojan",
        "artemis",
        "virustotal",
        "download",
        "drweb",
        "vipre",
        "panda",
        "malware",
        "specified",
        "next",
        "et trojan",
        "et info",
        "medium",
        "http",
        "ids detections",
        "yara detections",
        "e98c1cec8156",
        "as11426 charter",
        "as20001 charter",
        "as11427 charter",
        "as11351 charter",
        "as16787 charter",
        "as33363 charter",
        "as20115 charter",
        "as10796 charter",
        "as12271 charter",
        "body",
        "servers",
        "all search",
        "entries",
        "intel",
        "ms windows",
        "windows nt",
        "destination",
        "port",
        "asnone",
        "heurunsec",
        "etpro trojan",
        "nxdomain",
        "a nxdomain",
        "aaaa",
        "asnone united",
        "aaaa nxdomain",
        "backdoor",
        "pulse submit",
        "url analysis",
        "location oxford",
        "as3456 charter",
        "moved",
        "showing",
        "body doctype",
        "html public",
        "ietfdtd html",
        "as6976 verizon",
        "as701 verizon",
        "file samples",
        "files matching",
        "date hash",
        "copyright",
        "levelblue",
        "related pulses",
        "pulse pulses",
        "kryptikpii",
        "msr apr",
        "date",
        "creation date",
        "analyzer paste",
        "iocs",
        "samples",
        "secure server",
        "cname",
        "as5742",
        "body head",
        "object moved",
        "content length",
        "content type",
        "cookie",
        "as15133 verizon",
        "lowfi",
        "gmt server",
        "ecacc",
        "record value",
        "oxford",
        "michigan",
        "ns nxdomain",
        "soa nxdomain",
        "url http",
        "mitre att",
        "evasion ta0005",
        "creates",
        "discovery t1082",
        "reads software",
        "file",
        "t1083 reads",
        "jujubox",
        "zenbox",
        "get http",
        "request",
        "host",
        "win64",
        "khtml",
        "gecko",
        "response",
        "cus cndigicert",
        "tls rsa",
        "user",
        "javascript c",
        "doscom c",
        "text c",
        "files c",
        "storage",
        "file system",
        "filesadobe c",
        "appdata",
        "appdatalocal",
        "hostnames",
        "ta0002 command",
        "t1059 very",
        "t1064",
        "javascript",
        "modules t1129",
        "ta0003 create",
        "modify system",
        "process t1543",
        "windows service",
        "cisco umbrella",
        "blacklist",
        "safe site",
        "filerepmalware",
        "microsoft",
        "phishing bank",
        "sgeneric",
        "malware site",
        "unsafe",
        "number",
        "cus cngts",
        "ogoogle trust",
        "subject",
        "algorithm",
        "cus ouserver",
        "ouserver ca",
        "record type",
        "ttl value",
        "msms86718722",
        "query",
        "open",
        "capa",
        "create process",
        "windows create",
        "delete file",
        "write file",
        "windows check",
        "os version",
        "enumerate",
        "hashes",
        "signals mutexes",
        "mutexes",
        "open threat",
        "location los",
        "emails info",
        "expiration date",
        "write c",
        "process32nextw",
        "regsetvalueexa",
        "regdword",
        "module load",
        "t1129",
        "as51167 contabo",
        "germany unknown",
        "as40021 contabo",
        "encrypt",
        "hosting",
        "netherlands asn",
        "as204601 zomro",
        "pulses",
        "tags",
        "related tags",
        "indicator facts",
        "historical otx",
        "files ip",
        "asnone germany",
        "as174 cogent",
        "czechia unknown",
        "whitelisted",
        "certificate",
        "bittorrent dht",
        "post http",
        "et p2p",
        "cryptexportkey",
        "invalid pointer",
        "delete c",
        "post utcore",
        "benchhttp",
        "mozilla",
        "maldoc",
        "service",
        "tools",
        "nids",
        "et",
        "x95xd3xa4",
        "regbinary",
        "hx88x89",
        "kx82xd3x11",
        "xb9x8b",
        "x8dxb7xb7",
        "hx88x9ax1e",
        "mx81xd1r",
        "x92xac",
        "stream",
        "persistence",
        "execution",
        "dynamicloader",
        "contacted",
        "domains",
        "yara rule",
        "high",
        "dynamic",
        "pcap",
        "pushdo",
        "msie",
        "activity beacon",
        "malware beacon",
        "default",
        "redacted for",
        "for privacy",
        "as3379 kaiser",
        "server",
        "gmt content",
        "type",
        "x frame",
        "entries http",
        "scans show",
        "domain related",
        "no data",
        "tag count",
        "fakedout threat",
        "analyzer threat",
        "url summary",
        "ip summary",
        "summary",
        "sample",
        "detection list",
        "components",
        "zune",
        "etpro",
        "nod32",
        "avast avg",
        "next http",
        "example domain",
        "title meta",
        "invalid url",
        "akamai",
        "urls http",
        "as20940",
        "as16625 akamai",
        "netherlands",
        "germany",
        "france",
        "virtool",
        "rock",
        "address",
        "apache",
        "accept",
        "as8075",
        "pulse http",
        "related nids",
        "files location",
        "moldova related",
        "pulses none",
        "as31898 oracle",
        "title",
        "kryptiklfq",
        "win32dh",
        "vitro",
        "shutdown",
        "erase",
        "find",
        "close",
        "as53418",
        "hat server",
        "as797 att",
        "script urls",
        "a domains",
        "as10753 level",
        "script script",
        "meta",
        "path",
        "null",
        "stop",
        "as54113",
        "chrome",
        "as7018 att",
        "as28521",
        "mexico unknown",
        "fastly error",
        "please",
        "sea p",
        "object",
        "set cookie",
        "pragma",
        "as19536 directv",
        "united kingdom",
        "as60664 xion",
        "trojan features",
        "moldova unknown",
        "susp",
        "breaking news",
        "business",
        "finance",
        "entertainment",
        "sports",
        "games",
        "trending videos",
        "weather",
        "home",
        "as396982 google",
        "url https",
        "type indicator",
        "role title",
        "added active",
        "cyberfolks",
        ".pl",
        "level 3"
      ],
      "references": [
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "http://www.door.net/ARISBE/arisbe.htm",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Germany",
        "Hungary",
        "Ukraine",
        "Spain",
        "Brazil",
        "Russian Federation",
        "Moldova, Republic of",
        "Japan",
        "Ireland",
        "Luxembourg",
        "Canada"
      ],
      "malware_families": [
        {
          "id": "TrojanDownloader:Win32/Cutwail",
          "display_name": "TrojanDownloader:Win32/Cutwail",
          "target": "/malware/TrojanDownloader:Win32/Cutwail"
        },
        {
          "id": "Backdoor:Win32/Tofsee",
          "display_name": "Backdoor:Win32/Tofsee",
          "target": "/malware/Backdoor:Win32/Tofsee"
        },
        {
          "id": "Cerber Ransomware",
          "display_name": "Cerber Ransomware",
          "target": null
        },
        {
          "id": "NIDS",
          "display_name": "NIDS",
          "target": null
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Inject3.QGY",
          "display_name": "Inject3.QGY",
          "target": null
        },
        {
          "id": "Kelihos",
          "display_name": "Kelihos",
          "target": null
        },
        {
          "id": "ETPRO",
          "display_name": "ETPRO",
          "target": null
        },
        {
          "id": "NOD32",
          "display_name": "NOD32",
          "target": null
        },
        {
          "id": "VirTool:Win32/Obfuscator",
          "display_name": "VirTool:Win32/Obfuscator",
          "target": "/malware/VirTool:Win32/Obfuscator"
        },
        {
          "id": "Sf:ShellCode-AU\\ [Trj]",
          "display_name": "Sf:ShellCode-AU\\ [Trj]",
          "target": null
        },
        {
          "id": "Trojan:Win32/Glupteba",
          "display_name": "Trojan:Win32/Glupteba",
          "target": "/malware/Trojan:Win32/Glupteba"
        }
      ],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1023",
          "name": "Shortcut Modification",
          "display_name": "T1023 - Shortcut Modification"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1089",
          "name": "Disabling Security Tools",
          "display_name": "T1089 - Disabling Security Tools"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 37,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 2060,
        "hostname": 3067,
        "CIDR": 4,
        "URL": 1300,
        "email": 29,
        "FileHash-MD5": 3181,
        "FileHash-SHA1": 1994,
        "FileHash-SHA256": 3228,
        "CVE": 2,
        "SSLCertFingerprint": 1
      },
      "indicator_count": 14866,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 233,
      "modified_text": "585 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "64c3af07b73d51dc4bb9efbc",
      "name": "Phrishing and MiSL, at odomou.com",
      "description": "Lots of communicating files, mostly misl amd phishing but also a few other random baddiez.",
      "modified": "2023-09-10T13:02:26.487000",
      "created": "2023-07-28T12:05:27.845000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1189",
          "name": "Drive-by Compromise",
          "display_name": "T1189 - Drive-by Compromise"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 14,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Hell-On-A-Stick",
        "id": "186907",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 489,
        "FileHash-MD5": 135,
        "FileHash-SHA1": 129,
        "URL": 316,
        "domain": 341,
        "hostname": 219,
        "CVE": 1
      },
      "indicator_count": 1630,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 51,
      "modified_text": "994 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "sprintmail.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "sprintmail.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780280352.431253
}