{ "type": "Domain", "indicator": "subprocess.call", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/subprocess.call", "alexa": "http://www.alexa.com/siteinfo/subprocess.call", "indicator": "subprocess.call", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1205787360, "indicator": "subprocess.call", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "66c3479768ec16f58ae7dfe7", "name": "The Abuse of ITarian RMM by Dolphin Loader", "description": "This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system monitoring, to operate stealthily and evade detection. The report provides an in-depth analysis of the Dolphin Loader's techniques, including the use of AutoIt scripts for payload execution and the abuse of the ITarian RMM software's 'Procedures' feature to run malicious Python scripts on registered devices.", "modified": "2024-09-18T13:00:26.861000", "created": "2024-08-19T13:24:38.403000", "tags": [ "itarian", "evade", "sectoprat", "autoit", "malware-as-a-service", "lummac2", "dolphin loader", "rhadamanthys", "stealthy", "redline", "python", "darkgate", "rmm" ], "references": [ "https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader" ], "public": 1, "adversary": "Dolphin Loader", "targeted_countries": [], "malware_families": [ { "id": "Dolphin Loader", "display_name": "Dolphin Loader", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 11 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 376506, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d241ad80972b915e79f7ee", "name": "Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2 - Real-time Open Source Software Supply Chain Security", "description": "The SafeDep Team reveals details of the Strapi CMS plugins that were deployed to launch a series of malicious packages, including a Redis RCE, a database theft, and a persistent C2.", "modified": "2026-04-05T11:04:09.969000", "created": "2026-04-05T11:04:09.969000", "tags": [ "strong", "april", "devnull", "payload", "redis", "strapi", "phase", "config set", "json", "c2 agent", "python", "malware", "config", "stop", "harvester", "info", "trojan", "back", "grep", "payment", "download", "pass", "false", "cold", "shell", "target", "terminal", "attack", "code", "install", "remote access" ], "references": [ "https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null } ], "attack_ids": [ { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "darksword", "id": "381736", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1, "URL": 3, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a4267fe0eab278232f610", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:59:51.674000", "tags": [ "ipv4", "pgpassword", "d brokerdb", "strong", "cisa", "ttyunknown", "userroot", "pgsqlpw", "u gsbadmin", "redacted gsb", "cyber", "tools", "python", "gogo", "psexec", "sector", "local", "download", "matrix", "upgrade", "install", "zero", "contact", "small", "execution", "persistence" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 21, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "409 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679721f054b8ee5989a51106", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications", "description": "The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in\nIvanti\u2019s Connect Secure, Policy Secure and ZTA Gateways", "modified": "2025-02-26T06:04:49.150000", "created": "2025-01-27T06:04:32.848000", "tags": [ "Vulnerabilities", "Threat" ], "references": [ "https://www.cisa.gov/sites/default/files/2025-01/aa25-022a-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications_0.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 14, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6793958f83ca397972dd5e0c", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA", "description": "This intelligence provides actionable insights into the September 2024 exploitation of Ivanti Cloud Service Appliances (CSA) by attackers who chained various Ivanti CSA vulnerabilities with CVE-2024-8963. The chaining of these vulnerabilities led to unauthorized access, remote code execution, credential theft, and webshell deployment. Even though exploitation occurred in September 2024, organizations using affected versions of Ivanti CSA are still at risk. The Advisory warns that \"Credentials and sensitive data stored within affected Ivanti appliances should be considered compromised.\"", "modified": "2025-02-23T13:01:46.148000", "created": "2025-01-24T13:28:47.127000", "tags": [ "threattype/Vulnerability Exploitation", "threattype/Webshell Deployment", "threattype/Remote Code Execution", "threattype/Credential Theft", "kevc/Ivanti Cloud Service Appliances (CSA) CVE-2024-8963, CVE-20", "Industries/All Industries" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 22, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6791fd7e620f43b14ba8977a", "name": "Ivanti Cloud Service Applications IoC", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are\nreleasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities\nin Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code\nexecution vulnerabilities.", "modified": "2025-02-22T08:03:34.212000", "created": "2025-01-23T08:27:42.846000", "tags": [], "references": [ "https://www.cisa.gov/sites/default/files/2025-01/aa25-022a-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "416 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67916dc1b703933501892988", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA", "description": "", "modified": "2025-02-21T22:02:47.333000", "created": "2025-01-22T22:14:25.494000", "tags": [ "ipv4", "pgpassword", "d brokerdb", "strong", "cisa", "ttyunknown", "userroot", "pgsqlpw", "u gsbadmin", "redacted gsb", "cyber", "tools", "python", "gogo", "psexec", "sector", "local", "download", "matrix", "upgrade", "install", "zero", "contact", "small", "execution", "persistence" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 22, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "416 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676da40ba4a260f1ce70f336", "name": "Analyzing Malicious Intent in Python Code: A Case Study | FortiGuard Labs", "description": "AI security scans detected two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, designed for surveillance, data theft, and unauthorized access. Zebo-0.1.0 uses stealthy techniques like keylogging and screen recording to exfiltrate data and maintain persistence. Cometlogger-0.1 exhibits advanced capabilities including webhook manipulation, information theft, anti-VM evasion, and dynamic file modification. Both pose significant security risks, emphasizing the need for robust cybersecurity measures", "modified": "2024-12-26T18:44:27.769000", "created": "2024-12-26T18:44:27.769000", "tags": [ "python", "fortiguard labs threat research", "internet", "run antivirus", "tools", "reformat", "prevention code", "review", "implement", "python script", "imagegrab", "antivm", "malicious", "oss" ], "references": [ "https://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-code" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OSS", "display_name": "OSS", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 212, "modified_text": "473 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "506 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "506 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39656, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6605781ad51380e5b1c22815", "name": "haul from the last two weeks of wrangling - presumed malware and IOC's found on my personal devices", "description": "nearing the two year mark of the first initial attack - unfortunately OTX was only able to pull domains from the large majority of files uploaded which seems to be a built in anti-debug feature and goes with the theme and \"look & feel\" of this latest iteration being that most of them were somehow someway remote and acting as a net file system on my machine", "modified": "2024-04-27T02:04:29.606000", "created": "2024-03-28T14:00:58.809000", "tags": [ "dddf", "target", "dddj", "path", "base o", "base", "backupfile", "base rw", "exit", "date", "hell", "gnu libtool", "please do", "linker", "lsmime3 lnss3", "lplc4 lnspr4", "ludev", "directory", "lmagic ljansson", "feugiat", "lorem ipsum", "nulla facilisi", "malesuada", "etiam tempor", "suspendisse", "consectetur", "bibendum", "amet", "eget aliquet", "basesectors", "date echo", "default", "label", "kernel", "append rhgb", "clsid", "systemroot", "webbrowser", "ispell", "imagemagick", "flex", "zle c", "whois", "locate", "rubber", "chown", "ruby", "ninja", "pacman", "restart", "kill", "django", "mark", "repl", "service", "term", "mkdir", "borg", "black", "conan", "dolphin", "dotnet", "hello", "john", "generic", "find", "shutdown", "mozilla", "first", "subsystem", "action", "goto", "load", "devtype", "idnetdriver", "drivers", "program", "interface", "nmunmanaged", "ethernet", "mac prefix", "attr", "virtualbox host", "mac address", "interface name", "hello world", "unit", "timer", "onbootsec5min", "install", "wait online", "networkmanager", "edit", "note", "typeoneshot", "cloud", "optin", "helper", "for testing", "only", "restrict", "grant", "enable debug", "trace", "killmodeprocess", "typedbus", "reload", "capdacoverride", "dhcp etc", "include", "yara", "cflags", "libs", "xxx remove", "the author", "this software", "isc license", "copyright", "schlueter", "permission", "software is", "provided", "as is", "disclaims all", "direct", "require", "semver", "comparator", "range", "releasetypes", "simple", "tilde", "09azaz", "prerelease", "same", "beta", "semverrangesgtr", "semverrangesltr", "coerce version", "ranges", "alpha", "standalone", "exits", "null", "false", "reverse", "compare", "a javascript", "copyright isaac", "typeerror", "maxsafeinteger", "maxlength", "break", "error", "number", "drop", "same direction", "symbol", "comp", "const", "caret", "flagloose", "xrange", "parse", "identifier", "object", "match", "string", "walk", "manually", "stop", "highhaspre", "major", "minor", "patch", "istanbul", "preminor", "index", "regexp", "build metadata", "meaning", "replace", "token", "zero", "star", "infinity", "return", "a cache", "build status", "coverage status", "the same", "options", "before", "lrulist", "cache", "length", "dispose", "maxage", "allowstale", "nodisposeonset", "yallist", "node", "array", "head", "function", "tail", "start", "insert", "just", "node object", "barbar", "array method", "default export", "any comparator", "complex range", "simple range", "c1 c2", "outer", "every simple", "ecomp", "must", "clone", "case", "ignore", "setmin", "determine", "version", "typeof", "contribute", "status", "node package", "manager", "benchmark suite", "installation", "direct download", "ql https", "node version", "usage", "project", "calendar", "package", "source", "license", "source form", "perl foundation", "distributor fee", "distribute", "standard", "neither", "module", "basecommand", "lifecyclecmd", "base command", "pacote", "browser", "workspace", "pkgname", "await", "boolean", "base class", "wrapwidth", "chalk", "command", "config", "npmcliconfig", "logfile", "timers", "display", "location", "audit", "arboristcmd", "arborist", "global", "whoami", "async", "json", "view", "pref", "pckmnt", "resolve", "utf8", "libnpmversion", "unstar", "update", "save", "omit", "packagelock", "dryrun", "force", "libnpmaccess", "spec", "uninstall", "todo", "enoent", "enotdir", "test", "scriptshell", "scope", "team", "create", "user", "libnpmteam", "destroy", "table", "list", "cidr", "stars", "eneedauth", "shrinkwrap", "rename", "npmcliarborist", "value", "unicode", "sbom", "cyclonedx", "build", "sbomformats", "response", "software bill", "look", "script", "runscript", "indent", "root", "minipass", "search", "pipeline", "filterstream", "libnpmsearch", "long", "grab", "packageurlcmd", "repo", "info", "repo const", "rebuild", "reifycmd", "publish", "libnpmpack", "npmclirunscript", "prune", "remove", "prefix", "args", "queryable", "packagejson", "pong", "cleanurl", "registry", "pack", "load tarball", "noise", "query", "edge", "etarget", "e403", "e404", "outdated", "homepage", "developer", "admin", "owner", "libnpmorg", "npmfetch", "logout", "getauth", "invalid", "parent", "depth", "type", "filteredby", "dedupe", "problems", "login", "link", "util", "installcitest", "runs", "prop", "password", "profile", "mode", "email", "twitter", "hook", "libnpmhook", "init", "wpath", "installtest", "complete", "globaltop", "help", "viewer", "glob", "pattern", "file", "globify", "explore", "shell", "handle", "fund", "which", "fundingsource", "archy", "explain", "helpsearch", "text", "part", "editor", "editor const", "childprocess", "check", "nodemodules", "docs", "promisify", "doctor", "cacache", "mask", "win32", "disttag", "packagespec", "semver range", "delete", "diff", "workspacepath", "actualtree", "libnpmdiff", "deprecate", "message", "write", "clean", "spawn", "compline", "comppoint", "compcword", "epipe", "completion", "compfish", "os x", "bugs", "report", "adduser", "exec", "libnpmexec", "localprefix", "runpath", "skip", "public key", "npmauditreport", "access", "item", "finddupes", "syntaxerror", "getcli", "eventemitter", "abort", "ssri", "columnify", "bundled", "tarball details", "sha1", "daily", "latest", "check daily", "weekly", "cyclonedxschema", "cyclonedxformat", "proppath", "propbundled", "propdevelopment", "propextraneous", "propprivate", "refvcs", "refwebsite", "crypto", "readpassword", "readusername", "reademail", "enter", "enter otp", "otpprompt", "afaf09", "passwordprompt", "auditerror", "getfundinginfo", "json output", "data", "append", "maybeindex", "ontimeend", "name", "returns", "noassertion", "spdxidentifer", "spdxdatalicense", "reldescribes", "reldep", "reftypepurl", "spdxid", "eotp", "e401", "setinterval", "npmlog", "proclog", "maxlogsperfile", "fsminipass", "open", "colmax", "colmin", "colgutter", "quick help", "convert", "b return", "mb return", "gb return", "sigint", "readline", "prompt", "promise", "eresolve error", "overridden", "peer", "extraneous", "optional", "isworkspace", "maxlen", "code", "unfinished", "notice", "isshellout", "matcherrorcode", "devnull", "npmcompletion", "compwords", "compreply", "o default", "f npmcompletion", "ifs compadd", "fish shell", "l cmd", "taken", "comp stuff", "lx compline", "abbrev", "please", "enyi", "json version", "cygwin", "c1 control", "numbers", "x09 x0a", "10000", "nodemodulesnpm", "builtin", "npmrc", "notsup", "notarget", "nospc", "rofs", "author", "npmclifs", "minimatch", "pathtofoo", "relative", "synopsis", "description", "field", "person", "configuration", "whether", "premajor", "prepatch", "prevents", "run git", "upgrade", "examples", "will", "shareman", "cidr whitelist", "please refer", "tokenid", "eslint", "c eslint", "compatibility", "older", "versions", "nodeoptions", "details", "output", "example", "posix", "unstarring", "lcall", "starring", "lock", "materials", "spdx", "lodash", "nodeenv", "initcwd", "boolean set", "boolean tells", "windows", "unix", "selector", "use cases", "queries", "equivalent", "boolean show", "nocolor environ", "cli look", "boolean force", "dependency", "json object", "production", "files", "cicd system", "property", "change", "url opener", "basic auth", "allow", "description a", "removes", "semvermajor", "ping https", "ping http", "found", "get http", "example add", "json format", "handy", "display prefix", "g usrlocal", "mycorp", "associate", "deprecated", "libnodemodules", "caveat note", "workspace usage", "string override", "tarball", "githubrepo", "initializer", "usrfoo", "forwarding", "suppose", "commandsnpm", "hooks", "url endpoint", "browse", "consider", "ci environment", "string optional", "promzard", "top level", "expect", "javascript", "it staff", "https", "cli team", "ecmascript", "readme", "package current", "latest location", "depended", "git repos", "git dependency", "newest version", "modify package", "description add", "show", "purpose tags", "tags", "keyvalue", "16 16", "boolean ignore", "boolean do", "string source", "treat", "example make", "grep", "travis ci", "details npm", "localappdata", "tab completion", "bulk advisory", "sha256publickey", "endpoint", "quick audit", "set access", "that user", "scoped", "python", "description npm", "node javascript", "important npm", "introduction", "c code", "unix system", "integrity", "provide", "facilitate", "cli tool", "handling old", "lockfiles", "file format", "legacy", "urls", "spdx license", "most", "barney rubble", "specify", "github", "dependencies", "github urls", "node installer", "linux", "overview", "windows node", "prefixetcnpmrc", "variablename", "home", "comments", "peruser config", "global config", "builtin config", "auth", "cycles", "local install", "global install", "appdata", "below", "please note", "stage", "after", "life cycle", "runs after", "post scripts", "scripts", "slate", "synopsis so", "rf usrlocal", "modules", "with", "laf usrlocal", "l npm", "description all", "installing", "myorgmypackage", "requiring", "publishing", "private modules", "scopes", "apis", "auth related", "does", "package name", "aliases", "folders", "os equivalent", "tarballs", "teams", "orgs", "super admin", "team admins", "developer guide", "description so", "be explicit", "blank", "standard glob", "link packages", "syntax", "selectors", "querying", "log file", "location all", "log levels", "information", "headers", "logs", "alias", "certificate", "format", "docext", "content", "descriptions", "shorthands", "keyb", "print", "dir1", "manual", "input", "line", "process", "display help", "dirs", "get contents", "maxdepth", "contents", "u2665 bxe5r", "ud834udf06 baz", "single", "cssesc", "usage arborist", "commands", "options most", "npm install", "npm rm", "time", "silent", "fetch", "conf", "handler", "extract", "additional", "jackspeak", "jack", "glob v", "expand", "drive letter", "never", "true", "rob browning", "gnu library", "general", "public license", "license file", "future import", "adderror", "cdfq", "charles levert", "egrep", "egrepegrep", "fgrepfgrep", "grepgrep", "svr4 grepegrep", "times", "attributeerror", "fixcygwinid", "enhanced", "false try", "false assert", "tsns", "inetaddress", "none", "return value", "unixaddress", "localrepo", "httpserver", "valueerror", "resourcepath", "exception", "eoferror", "c version", "bytesio", "offset", "binary", "ascii", "baseversion", "commit", "throw", "in n", "send", "data end", "if 10", "copy", "send logoutn", "exitatoi", "tmplink", "lcallc binls", "varlogsetup rm", "sf tmp", "slackware", "system console", "entry", "ansi mode", "b007e", "slackware ftp", "cdrom", "miquel van", "smoorenburg", "okay", "minix", "fixme", "overwrite", "connect", "ssh connection", "subcmd", "bbupttywidth", "bupforcetty", "hashsplitter", "b options", "false def", "hack", "kbytesr", "srcpath", "tmptagfiles", "device", "tmpreply", "reply", "including", "but not", "quotesplit", "quoteerror", "not word", "split line", "mainselect", "tpxetcfstab", "select", "slackware linux", "varlogmount", "anything", "tmpswapmsg", "swappart", "ndir", "swaplist", "tmpsetswap", "linux swap", "swap space", "redir", "linux fdisk", "tmptmpscript", "eof fi", "instsets", "gnome", "tmpsetds", "tmpsetseries", "gnu emacs", "gnome desktop", "linux kernel", "k desktop", "uucp", "tmp fi", "tmpsettpx", "tpxetcshadow", "root password", "detected", "internet", "press", "linux native", "partitions", "tmpreturn", "nodes", "nextpartition", "rootdevice", "mtpt", "size", "formatting", "doformat", "main", "done", "sourcemedia", "tmpmedia", "source media", "selection", "slackware cd", "network file", "tmpsetreturn", "maketag", "choice", "mount", "tagext", "tmpsetnewtag", "tmpsettagmake", "sorry", "tmpsetkeymap", "mapname", "moorhead", "keyboard map", "us keyboard", "updown", "copying", "kernel chmod", "kernel rdev", "lilo", "fullerr", "tmpsettestfull", "partition full", "setup", "altf2", "slackware setup", "dospart", "newdir", "tmptempscript", "tmpsetdos", "partition", "ntfs", "doslist", "installscripts", "tpxproc", "atapi cd", "kerberos", "file transfer", "iana", "appletalk", "network", "control", "secure shell", "chat", "contact", "prospero", "outtag", "outshift", "if 30", "conn", "setmode", "dumb", "smart", "clienterror", "rather", "stopiteration", "firstexclusion", "appendcommit", "firstbranchitem", "filterbranch", "origtip", "oldnew", "remoterepo", "group", "prevpath", "sisdir import", "dangerous", "count", "subcount", "ioerror", "oserror", "gitmodetree", "gitmodefile", "gitmodesymlink", "stack", "nonlocal", "revision", "presdir", "admdirpackages", "warn", "tmprequiredlist", "trigger", "arch", "procscsiscsi", "luns", "scsi", "ax1b", "skript", "scsi bus", "kurt garloff", "gnu gpl", "ieee1394", "l found0", "nextrepoid", "repoid", "realpath", "usb keyboard", "d libmodules", "nousb", "procbususb a", "procbususb fi", "load input", "q input", "inet system", "hostname", "attach", "etcmotd", "newdisk", "scan", "slackkernel", "ram disk", "r sbp2", "r ieee1394", "firewire", "noieee1394", "q ieee1394", "attempt", "use f", "none def", "return password", "return none", "passwd", "nametopwdcache", "gidtogrpcache", "nametogrpcache", "tagfile", "prompt mode", "help software", "less", "removepkg", "gnu cc", "linux source", "pkgtool", "proccmdline", "termvt100", "termlinux", "homeroot lessmm", "ps1u", "home path", "display less", "term ps1", "kind", "branch", "period", "tmpsetfdisk", "minor elif", "smashedline", "l dev", "tmpsetfdisk fi", "probe", "mylex", "raid", "disksets", "packagedir", "blurb", "sourcedir", "tmptmpmsg", "tmptagfile", "media", "pcmcia", "umountcdrom", "o ro", "floppy", "pcmcia andor", "cardbus", "usedflopfalse", "libdir", "libdir exedir", "bcmd", "exedir", "openssl set", "packageversion", "versiongreater", "invert", "optdict", "intify", "limited to", "sockets layer", "argv", "normally", "shutwr", "sigexception", "demuxconn", "pipe import", "demultiplex", "openssl", "debug", "opensslversion", "static imported", "target openssl", "cmake", "shared imported", "fatalerror", "obex", "import", "stringio import", "obex service", "bdaddr channeln", "ascii character", "alength", "notfoundreturn", "use nis", "nis version", "name service", "switch config", "legal", "use dns", "domain name", "os2 boot", "os2 fdisk", "partition magic", "boot manager", "tcpip subsystem", "nfs install", "network support", "make", "sample file", "zip disk", "zip drive", "first scsi", "first ide", "atari", "solaris", "drive x", "zip100", "linkdir", "linkdir fi", "tmp directory", "asap", "linkdir tmp", "indexerror", "want", "midxversion", "wrapper", "multiple index", "filename", "desiredhwm", "domidx", "exitstack", "total", "option", "c option", "vmsize", "vmrss", "vmdata", "vmstk", "majflt", "september", "guess object", "longmatch", "raid device", "devrd", "devname", "concord", "applyerror", "metadata", "einval", "macos", "frozen", "fifo", "common code", "faildelay", "faillogenab", "logunkfailenab", "logoklogins", "lastlogenab", "mailcheckenab", "quotasenab", "syslogsuenab", "syslogsgenab", "console console", "ttywidth", "baseexception", "pythonpath", "pipe", "sigismember", "xdropaqueauth", "libcpvalloc", "rtld", "gnu c", "library", "free software", "foundation", "gnu lesser", "general public", "merchantability", "refs", "keyerror", "important", "carefully", "kwargs", "super", "true result", "priority", "pmsg", "crunch", "tmptempmsg", "localnetmask", "localipaddr", "upnrun", "ip address", "localgateway", "kversion", "eof dialog", "tmpmask", "localnetwork", "slackdevice", "fgrep", "ftp site", "tmpsetmount", "reboot machine", "tmpwhichdrv", "tmpsetmount cat", "select floppy", "drive", "tmptempmsg exit", "tmptempmsg mv", "tmpsourcedir", "drivefound", "cddvd", "rdir", "cddvd drive", "tmpsetcddev", "ide bus", "tmperrordo exit", "third", "login binsh", "l ttys0", "l ttys1", "x0 s", "reboot", "stuff", "bupdir", "iterhelper", "next", "none d", "indexhdr", "ixexists", "ixhashvalid", "ixshamissing", "indexsig", "entlen", "footersig", "tmpdir", "experimental", "bdupcache", "brestore", "bindex", "agulbra", "tcpip", "linux box", "hlinkdb", "verify", "maxpertree", "bupblobbits", "buptreeblobbits", "giterror", "mpicount", "bupnormal", "bupchunked", "refresh", "close", "dump", "dest", "commonargs", "ref dest", "pick", "btree", "missingobject", "bloom filter", "existingcount", "idxlivecount", "ram budget", "bupfs", "importerror", "fuse", "verbose", "fakemetadata", "fsdecode", "ptraceerror", "ptracesetregs", "cpu64bits", "ptraceattach", "ptracedetach", "ptracesyscall", "cpuwordsize", "runningbsd", "ext2", "proc proc", "commanderror", "optionerror", "lcctype", "iso88591", "localrepo repo", "sbine2fsck", "bfailed", "elif", "bcanary", "posix acls", "linux partition", "move", "pgdnspace", "olargefile", "onofollow", "xdev", "xdevxdev", "dirlist", "prepend", "cyan", "white", "blue", "dialog box", "yellow", "active button", "inactive button", "search box", "input box", "green", "excluderxs", "doit", "s seed", "this command", "is extremely", "dangerous n", "chunksize", "socket", "return hex", "supports python", "rethrow", "hostrs", "bnone", "bload", "branchpath", "snapshotroot", "snapshot", "tmpidx", "bashsource", "bashlineno", "int dryrun", "importing", "ux f", "sbinbrc", "eof binsync", "unmounting file", "devnull echo", "rest", "first assert", "existing", "restcount", "none path", "maxbloombits", "bloomversion", "maxbitseach", "discussion", "k4 k5", "k6 k7", "k8 k9", "rvatoi", "exitrv", "exit 1", "noblock", "sisdir", "sislnk", "writetree", "rawtreeitem", "splittreeitem", "metadataro", "meta", "builtmodulename", "dkms", "packagename", "autoinstall", "kernelrelease", "kbuild", "kerneluname", "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "later", "tls1", "fbtfr", "fbfr", "apache http", "fbefr", "fbhfr", "fbabfr", "http", "keepalive", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "getprocaddress", "access type", "ck id", "observed ja3", "mitre att", "show technique", "suspicious", "hybrid", "click", "delphi", "strings", "malicious", "february", "middle", "exploit", "gameover", "hybrid analysis", "api key", "vetting process", "ck matrix", "accept", "memoryfile scan", "invalid octet", "falcon sandbox", "tmpp59thrck", "informative", "name tactics" ], "references": [ "itl-logo.txt", "empty.exe", "libnm.la", "libyara.la", "sunjava_map.xml", "lorem.txt", "stage2", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "syslinux.cfg", "x.jnlp", "desktop.ini", "a.txt", "a.txt:ads.txt", "dir:ads.txt", "b.txt:ads.txt", "no_ads.txt", ".:ads.txt", "b.txt", "nm-shared.xml", ".zcompdump-m1904-5.9", ".zcompdump", "90-nm-thunderbolt.rules", "84-nm-drivers.rules", "85-nm-unmanaged.rules", "???? ????????.txt", "notes.txt", "notes.txt:ads", "nm-cloud-setup.timer", "NetworkManager-wait-online.service", "nm-cloud-setup.service", "nm-priv-helper.service", "NetworkManager-dispatcher.service", "NetworkManager.service", "NetworkManager-ovs.conf", "nm-pppd-plugin.la", "yara.pc", "libnm.pc", "preload.js", "LICENSE", "index.js", "range.bnf", "package.json", "README.md", "semver.js", "comparator.js", "range.js", "valid.js", "sort.js", "satisfies.js", "rsort.js", "rcompare.js", "prerelease.js", "patch.js", "neq.js", "minor.js", "major.js", "lt.js", "inc.js", "parse.js", "gt.js", "eq.js", "gte.js", "compare-loose.js", "compare.js", "clean.js", "cmp.js", "coerce.js", "compare-build.js", "diff.js", "lte.js", "parse-options.js", "identifiers.js", "debug.js", "constants.js", "re.js", "yallist.js", "iterator.js", "subset.js", "to-comparators.js", "outside.js", "min-version.js", "min-satisfying.js", "max-satisfying.js", "ltr.js", "simplify.js", "intersects.js", "gtr.js", "npmrc", "cli.js", "lifecycle-cmd.js", "cli-entry.js", "package-url-cmd.js", "base-command.js", "npm.js", "arborist-cmd.js", "whoami.js", "view.js", "version.js", "unstar.js", "update.js", "unpublish.js", "uninstall.js", "test.js", "team.js", "stop.js", "start.js", "token.js", "stars.js", "shrinkwrap.js", "set.js", "star.js", "sbom.js", "run-script.js", "root.js", "search.js", "repo.js", "restart.js", "rebuild.js", "publish.js", "prune.js", "prefix.js", "pkg.js", "ping.js", "pack.js", "query.js", "outdated.js", "org.js", "owner.js", "logout.js", "ls.js", "ll.js", "login.js", "link.js", "install-ci-test.js", "profile.js", "hook.js", "init.js", "install-test.js", "install.js", "help.js", "explore.js", "fund.js", "explain.js", "help-search.js", "get.js", "edit.js", "docs.js", "doctor.js", "dist-tag.js", "dedupe.js", "deprecate.js", "ci.js", "config.js", "completion.js", "bugs.js", "adduser.js", "exec.js", "audit.js", "access.js", "cache.js", "find-dupes.js", "validate-engines.js", "web-auth.js", "tar.js", "update-notifier.js", "sbom-cyclonedx.js", "replace-info.js", "read-user-info.js", "reify-output.js", "queryable.js", "timers.js", "validate-lockfile.js", "sbom-spdx.js", "otplease.js", "pulse-till-done.js", "log-shim.js", "log-file.js", "npm-usage.js", "get-identity.js", "format-bytes.js", "open-url-prompt.js", "explain-eresolve.js", "explain-dep.js", "exit-handler.js", "open-url.js", "did-you-mean.js", "completion.sh", "completion.fish", "cmd-list.js", "auth.js", "audit-error.js", "is-windows.js", "display.js", "reify-finish.js", "error-message.js", "format-search-stream.js", "installed-shallow.js", "installed-deep.js", "update-workspaces.js", "get-workspaces.js", "npm-view.md", "npm-version.md", "npm-uninstall.md", "npm-token.md", "npx.md", "npm-team.md", "npm-stop.md", "npm-unstar.md", "npm-start.md", "npm-star.md", "npm-test.md", "npm-shrinkwrap.md", "npm-stars.md", "npm-sbom.md", "npm-root.md", "npm-run-script.md", "npm-restart.md", "npm-rebuild.md", "npm-query.md", "npm-search.md", "npm-prune.md", "npm-publish.md", "npm-profile.md", "npm-repo.md", "npm-whoami.md", "npm-pkg.md", "npm-pack.md", "npm-ping.md", "npm-org.md", "npm-owner.md", "npm-prefix.md", "npm-login.md", "npm-logout.md", "npm-link.md", "npm-install-ci-test.md", "npm-install.md", "npm-init.md", "npm-update.md", "npm-help-search.md", "npm-hook.md", "npm-help.md", "npm-find-dupes.md", "npm-explore.md", "npm-unpublish.md", "npm-exec.md", "npm-ls.md", "npm-edit.md", "npm-doctor.md", "npm-fund.md", "npm-outdated.md", "npm-docs.md", "npm-dist-tag.md", "npm-config.md", "npm-diff.md", "npm-ci.md", "npm-cache.md", "npm-bugs.md", "npm-completion.md", "npm-audit.md", "npm-access.md", "npm.md", "npm-install-test.md", "npm-adduser.md", "npm-dedupe.md", "package-lock-json.md", "package-json.md", "npm-shrinkwrap-json.md", "install.md", "npmrc.md", "folders.md", "workspaces.md", "scripts.md", "removal.md", "scope.md", "registry.md", "package-spec.md", "orgs.md", "developers.md", "dependency-selectors.md", "logging.md", "config.md", "node-which", "mkdirp", "qrcode-terminal", "installed-package-contents", "cssesc", "color-support", "arborist", "pacote", "glob", "empty", "xstat (2).py", "zgrep", "xstat.py", "wtmp", "web.py", "vt300", "vt300 (2)", "vt100 (3)", "vt100", "vint.py", "version (2).py", "version.py", "vdecmd", "unmigrate (2).sh", "unmigrate.sh", "tick.py", "termcap (2)", "termcap", "tag.py", "syslinux (2).cfg", "syslog.conf", "syslog (2).conf", "styles.css", "stdcrt (2)", "std (2)", "stage2 (3)", "stage2 (2)", "std", "ssh.py", "source_info.py", "split.py", "slackinstall", "stdcrt", "shells", "shells (2)", "shquote.py", "shadow (2)", "shadow", "setup (2)", "SeTswap (2)", "SeTPKG (2)", "setup", "SeTswap", "SeTpasswd (2)", "SeTpasswd", "SeTnopart (2)", "SeTpartitions (2)", "SeTnopart", "SeTPKG", "SeTmedia (2)", "SeTpartitions", "SeTmedia", "SeTmaketag", "slackinstall (2)", "SeTkeymap (2)", "SeTmaketag (2)", "SeTkernel", "SeTfull (2)", "SeTkernel (2)", "SeTfull", "SeTfdHELP", "SeTfdHELP (2)", "SeTkeymap", "SeTDOS (2)", "SeTconfig (2)", "services (2)", "SeTDOS", "SeTconfig", "services", "sendcmd.rc", "securetty (2)", "securetty", "server.py", "rm.py", "restore.py", "rm (2).py", "save.py", "removepkg", "rescan-scsi-bus", "removepkg (2)", "README (2)", "README", "repo.py", "rc.usb", "rc.inet1", "rc.S", "rc.ieee1394", "random.py", "pwdgrp.py", "PROMPThelp (2)", "profile (2)", "prune_older.py", "profile", "probe (2)", "probe", "pkgtool", "pkgtool (2)", "pcmcia", "path.py", "passwd (2)", "passwd", "OpenSSLConfigVersion.cmake", "options.py", "PROMPThelp", "openssl.pc", "openmachine.rc", "on__server.py", "on.py", "OpenSSLConfig.cmake", "obexstress", "nsswitch (2).conf", "nsswitch.conf", "nopartHELP (2)", "nopartHELP", "networks (2)", "networks", "network", "mux.py", "mtools (2).conf", "mtools.conf", "mtab (2)", "mtab", "motd (2)", "motd", "modules.pcimap", "modules.pnpbiosmap", "modules.parportmap", "modules.usbmap", "modules.isapnpmap", "modules.ieee1394map", "modules.generic_string", "modules.dep", "migrate (2).sh", "migrate.sh", "midx.py", "midx (2).py", "meta.py", "memtest.py", "margin.py", "makedevs (2).sh", "makedevs.sh", "metadata.py", "ls (2).py", "ls.py", "login (2).defs", "main.py", "login.defs", "list_idx.py", "libssl.pc", "libnm-wwan.la", "libnm-ppp-plugin.la", "libnm-device-plugin-wwan.la", "libnm-device-plugin-wifi.la", "libnm-device-plugin-team.la", "libnm-device-plugin-bluetooth.la", "libnm-device-plugin-ovs.la", "libnm-device-plugin-adsl.la", "libcrypto.pc", "libc6-i386_2.31-0ubuntu6_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.info", "libc6-i386_2.30-4_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "libc6-i386_2.30-4_amd64.info", "libc6-i386_2.30-4_amd64.symbols", "libc6-i386_2.30-0ubuntu2_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.info", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "libc6-i386_2.29-0ubuntu2_amd64.url", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "libc6-i386_2.29-0ubuntu2_amd64.info", "libc6-i386_2.28-10_amd64.url", "libc6-i386_2.28-10_amd64.info", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.info", "libc6-i386_2.27-3ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.url", "libc6-i386_2.26-0ubuntu2_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "libc6-i386_2.24-11+deb9u4_amd64.url", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.url", "libc6-i386_2.24-9ubuntu2_amd64.info", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.url", "libc6-i386_2.23-0ubuntu11_amd64.url", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.info", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "libc6-i386_2.23-0ubuntu11_amd64.info", "libc6-i386_2.23-0ubuntu10_amd64.url", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "libc6-i386_2.23-0ubuntu10_amd64.info", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "libc6-i386_2.23-0ubuntu3_amd64.info", "libc6-i386_2.21-0ubuntu4_amd64.url", "libc6-i386_2.23-0ubuntu3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.info", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "libc6-i386_2.19-18+deb8u10_amd64.url", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.info", "libc6-i386_2.19-10ubuntu2_amd64.url", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "libc6-i386_2.19-10ubuntu2_amd64.info", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "libc6-i386_2.17-93ubuntu4_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.info", "libc6-i386_2.17-0ubuntu5_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "libc6-i386_2.17-0ubuntu5_amd64.info", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "libc6-i386_2.15-0ubuntu20_amd64.url", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "libc6-i386_2.15-0ubuntu10_amd64.info", "libc6-i386_2.15-0ubuntu10_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.info", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.url", "libc6-i386_2.13-20ubuntu5_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "libc6-i386_2.13-0ubuntu13_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.url", "libc6-i386_2.9-4ubuntu6_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "libc6-i386_2.7-10ubuntu3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.info", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.info", "libc6-i386_2.4-1ubuntu12_amd64.url", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "libc6-i386_2.4-1ubuntu12_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "libc6-i386_2.5-0ubuntu14_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "ldd", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "ld.so (2).conf", "ld.so.conf", "join.py", "itl-logo (3).txt", "itl-logo (2).txt", "issue", "issue (2)", "io.py", "installpkg", "INSNFS (2)", "installpkg (2)", "INSNFS", "INShd", "INShd (2)", "INSfd (2)", "INSfd", "INSdir (2)", "INSdir", "INSCD", "INSCD (2)", "inittab (2)", "inittab", "init.py", "__init__ (2).py", "__init__.py", "index (2).py", "index.py", "import_duplicity.py", "hosts (2)", "hosts", "host (2).conf", "host.conf", "HOSTNAME", "hlinkdb.py", "help.py", "helpers.py", "HOSTNAME (2)", "hashsplit.py", "group (2)", "group", "gc (2).py", "git.py", "get.py", "gc.py", "fuse.py", "func.py", "fstab (2)", "fstab", "ftp.py", "fsck (2).ext2", "fsck (2).ext3", "fsck.ext3", "fsck.ext2", "fsck.py", "filesize", "features.py", "fdisk (2)", "fdisk", "FDhelp (2)", "FDhelp", "empty (3)", "empty (2)", "drecurse.py", "dialogrc", "dialogrc (2)", "disk2 (2)", "drecurse (2).py", "disk2", "damage.py", "daemon.py", "compat.py", "closemachine.rc", "checkout_info.py", "cfdisk (2)", "client.py", "cfdisk", "cat_file.py", "bup-import-rsnapshot", "bup-import-rdiff-backup", "brc (2)", "brc", "bloom (2).py", "bloom.py", "asyncrecv.rc", "90-nm-cloud-setup.sh", "vfs.py", "tree.py", "template-WaR2X6", "a1676298638", "a4033901479", ".X1-lock", ".X0-lock", ".X1024-lock", "b3336837578", "MozillaUpdateLock-7A4D7A8EFFB43502", "imurmurhash.min.js", ".X1025-lock", "murmur2", "b529967783", "empty.lock~", "ab.1", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 297, "email": 8, "hostname": 204, "URL": 382, "FileHash-SHA1": 7, "CVE": 2, "FileHash-MD5": 45, "FileHash-SHA256": 5 }, "indicator_count": 950, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "717 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661db37bf549518bf6f7f377", "name": "Backup from 03-28-24 - Systemd dump, malicious ssh and sshd files, libsystemd-vore libsystemd-shared plus supporting php files", "description": "Ignoring the yara and eicar files - I was able to recover a partition use for backups from 03/25/24-03/29/24; the day of the XZ supply chain disclosure. This is a preliminary dump with accompanying analysis and sha1, and 256's of my /usr/lib/systemd directory which housed multiple suspect ssh sub directories plus malicous libsystemd-shared and libsystemd-core binaries, and all supporting config, dev, service, and binaries. Dig in.", "modified": "2024-04-23T14:28:30.317000", "created": "2024-04-15T23:08:43.746000", "tags": [ "fireeye", "copyright", "base64", "dotnettojscript", "gadgettojscript", "invokeclient", "invokeserver", "readhost enter", "command", "roth", "nextron", "sandworm", "detects ssh", "grant all", "privileges on", "to mysqldb", "create user", "g root", "sandworm python", "import", "phpsploit", "host", "user", "pass", "error", "establish", "pecl oci8", "connstr", "charset", "false", "miner", "texthtml", "module", "send custom", "swissky", "class", "serviceip", "serviceport", "servicedata", "e binsh", "init", "service port", "detects", "cve202140444", "target", "targetmode", "jeremy brown", "windows cve", "ms office", "modified rule", "rperm", "wperm", "pathsep", "string", "rwxrxrx", "file types", "unix", "login", "autentication", "disable", "ldapconnect", "version", "authentication", "ldaplist", "null", "pathelems", "execute", "backdoor", "kingdee oa", "yunxingkong", "b6oa", "code execution", "kingdee cloud", "starry sky", "otherwise", "file", "setsmartdate", "fread", "name", "force", "base64decode", "data", "substr", "array", "readdir", "getowner", "getgroup", "getsize", "force option", "fwrite", "permission", "check", "mode", "diraccess", "fileaccess", "realpath", "stat", "immutable", "posixgetpwuid", "posixgetgrgid", "explode", "etcpasswd", "glob", "globonlydir", "oraclelogin", "port", "servicename", "connector", "base", "query type", "mssqlfetcharray", "mssqlassoc", "solsocket", "timeout", "range", "portmin", "portmax", "socketcreate", "afinet", "sockstream", "open", "type", "true", "tcp connection", "tcp shell", "input", "lhost", "netcat", "lport", "shell", "dllimport", "python", "back", "fore", "pfinet", "stdout", "this", "win32", "ldapsearch", "select", "mysqliassoc", "select database", "send", "newfile", "dns stub", "third party", "see man", "exit", "o pipefail", "v systemctl", "devnull", "unknown verb", "license", "gnu lesser", "general public", "free software", "foundation", "unit", "slice", "cpuweight100", "tasks slice", "cpuweight30", "capev2", "cape", "cuckoo web", "setup", "grep", "limitnofile", "install", "return", "execstart", "start", "descriptionrun", "timer", "oncalendardaily", "service", "prevent rate", "delay start", "m poetry", "sigkill", "descriptioncape", "ef usercape", "g cape", "allowisolateyes", "typedbus", "socket", "message bus", "listenstream", "typenotify", "descriptionuser", "harald sitter", "sitter", "kcrash", "drkonqi", "acceptyes", "disable trigger", "todo", "prevents", "path", "pathexistsglob", "runtimemaxsec31", "runtimemaxsec30", "restartno", "descriptionexit", "environmentfile", "otheropts", "soundfont", "descriptiongcr", "sshauthsock", "descriptionglib", "priority6", "killmodeprocess", "proxy", "socketmode0600", "apache software", "notice file", "apache license", "unless", "as is", "basis", "or conditions", "apple file", "conduit monitor", "descriptionjack", "jackoptions d", "driver d", "device", "media transfer", "indexer daemon", "memory", "memoryhigh512m", "system sockets", "a user", "conditionuser", "dbus menus", "plasma", "phase", "workspace core", "exit status", "x11 connection", "timeoutstopsec5", "disable restart", "timeoutsec40sec", "typeoneshot", "david edmundson", "davidedmundson", "osd service", "portal", "auto restart", "dbus", "xembed system", "logging system", "socketmode0660", "all containers", "restart policy", "logging start", "execstopbinsh c", "logging", "x11 plugins", "session slice", "typeforking", "etc userroot", "grouproot", "onbootsec15min", "place", "temporary", "volatile files", "thunar", "session manager", "wireplumber", "service file", "xdg autostart", "user dir", "descriptionxfce", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "bpf program", "indicator", "bpf firewalling", "pcap", "pcap processing", "bpffallowmulti", "bpf device", "date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "february", "middle", "exploit", "gameover", "contact", "scope", "thomas koch", "gpl v2", "imsm", "ibftruledir", "ibftrules", "attr", "systemd rule", "hannes reinecke", "suse labs", "ipibft", "interface", "kernel", "configfile", "typesimple", "apparmor", "grouparchaudit", "hardening", "umask077", "persistenttrue", "enable debug", "networkmanager", "trace", "wait online", "edit", "note", "reload", "capdacoverride", "dhcp etc", "mdadmscan", "mdadmdelay", "mdadmmail", "mdadmprogram", "mdadmconfig", "mdadmsendmail", "p runsysconfig", "userroot", "sssd", "write access", "needed sometime", "statedirectory", "accountsservice", "varloglastlog", "bridge daemon", "alsa card", "card state", "required", "another auto", "nice daemon", "memorymax64m", "filter system", "mount", "reboot", "clock", "logging service", "requires", "before", "please", "exit codes", "proc", "descriptionruns", "execstartsh c", "switchtoggle", "ignoreonisolate", "term typeidle", "without", "any warranty", "merchantability", "fitness", "a particular", "vartmp", "wants type", "preparation", "watchdogsec10", "filesystem", "timer daemon", "options", "environment", "prevent", "readwritepaths", "security", "certain", "protectsystem", "bindpaths", "lower cpu", "nice19", "manager", "userc", "celerydnodes", "info", "chaddevops", "aaron brighton", "clam antivirus", "jon kriel", "distribution", "script", "sanesecurity", "securiteinfo", "malwarepatrol", "oitc", "file location", "remember", "typeexec user", "9 cntlm", "generate color", "profiles", "removeipctrue", "devpts", "authors", "any kind", "usercouchdb", "restartsec5", "volumes", "server socket", "user209", "daemon", "darkstatiface", "reloadconfig", "watchdogsec3min", "privatetmpyes", "protectproc", "increase", "descriptiontime", "date service", "debugging only", "ignoresigpipeno", "unset locale", "file system", "queue file", "whatmqueue", "optionsnosuid", "pf rundhclient", "rate", "requiresdirmngr", "capfowner", "capsetpcap", "dhcp", "dns server", "startlimit", "limits", "delegateyes", "descriptionpass", "runtimemaxsec5", "mountain", "metadata check", "all filesystems", "online metadata", "sunday", "oncalendarsun", "online ext4", "sigterm signal", "java process", "piddir", "standardoutput", "elasticsearch", "limitnproc4096", "limitasinfinity", "sendsighupyes", "mapper daemon", "mainpid", "quit", "listenstream79", "radius server", "d etcraddb", "protecthomeon", "default", "systemservice", "efiefi bootefi", "afinet afinet6", "afunix afinet", "oncalendar 0000", "privatetmptrue", "geoip legacy", "geoip2", "instance", "usergit", "scdconfig", "notice", "devinputmice t", "descriptiongps", "system", "sock refclock", "gpsdoptions", "devices", "daemon sockets", "2947", "bindipv6onlyyes", "usbauto", "usrbingpsdctl", "gps daemon", "afterdev", "gvmddata", "varlibgssproxy", "nonewprivileges", "privatetmp", "protecthome", "ieee", "etchostapd", "killmodemixed", "fcopy", "uncomment", "use sigterm", "sigkill i2pd", "sendsigkillyes", "limitnofile8192", "systemd", "analog", "shutting down", "iodineextip p", "iodineport p", "iodineuser", "tunip", "topdomain", "guessmainpidyes", "m node", "wants", "initiatorname", "io driver", "typeexec", "c etckcptun", "usernobody", "requireskeyboxd", "static device", "nofork", "restartalways", "linker cache", "hack", "use wants", "raise", "tasksmax", "tasksmax32768", "limitmemlock64m", "removeonstopyes", "ip socket", "tls ip", "conflictsgetty", "aftergetty", "busmodules", "qabr", "hwmonmodules", "local file", "privatenetwork", "lvm2", "initialization", "autoboot code", "s delegatetrue", "description", "pidfilerunlxc", "lynis service", "adjust path", "lynis binary", "lynis timer", "tell systemd", "lynis security", "persistentfalse", "container slice", "recover", "varcacheman", "regenerate man", "userroot nice19", "mysqldopts", "mysqldsafe", "timezone", "core", "restart", "users", "backlog150", "listenstreams", "servicemariadb", "mechanism", "mariadb", "multi instance", "variables", "bindirmdadm", "gnu general", "public license", "reshape", "onactivesec30", "oncalendar", "wantedby", "monitor", "allow mdmon", "takeover", "k none", "c devnull", "d runinitramfs", "p runmongodb", "limitnproc32000", "limitmemlock5", "device server", "requiredbydev", "d dev", "descriptionreal", "extraopts", "restartsec30", "valid", "fifo", "priority", "batch", "nice0", "partof", "tracking daemon", "helper", "for testing", "only", "restrict", "grant", "capsysptrace", "capkill", "capipclock", "environ", "capsysresource", "capsyslog", "descriptionname", "service cache", "sysvlsb", "descriptionhost", "network name", "group name", "u ntp", "time service", "t hibernate", "software", "other", "the software", "daemon init", "software is", "provided", "fcnvme", "wantsmodprobe", "aftermodprobe", "descriptionall", "nbft", "nvmeof", "connectargs", "unit file", "descriptionnvmf", "red hat", "without any", "warranty", "card daemon", "socketmode0666", "suite result", "kexec screen", "oncalendarsat", "boot screen", "timeoutsec20", "power off", "runtime data", "descriptionhold", "timeoutsec0", "sandboxing", "execstop", "colin walters", "upgrade", "upgrade output", "umask0077", "transport agent", "descriptionmake", "descriptionppp", "whatnfsd", "file formats", "automount point", "automount", "setuid nobody", "setgid nobody", "setcon", "syslog", "restartonabort", "halt screen", "reboot screen", "pgroot", "postgresql", "oom killer", "additional", "fy nice19", "endless os", "foundation llc", "restartsec0", "system quotas", "rabbitmq", "protecthometrue", "etcrathole", "guessmainpidno", "h etcrdnssd", "reflector", "afinet6 afunix", "umask177", "remote file", "nfs client", "nfsv23 locking", "make sure", "rpc netconfig", "descriptionfast", "using ssh", "so let", "boot", "realtimekit", "rwhodopts", "display manager", "specify", "interval l", "loginterval f", "bindstodev", "always", "usrbingrpck r", "slapdoptions", "u ldap", "slapdurls", "smart", "pciusb", "midi", "daemonopts", "snmp", "trap daemon", "g snort", "descriptionsudo", "hibernate", "svnserveargs", "whatfusectl", "whatconfigfs", "whatdebugfs", "whattracefs", "best way", "see https", "units service", "service slice", "offline system", "update", "wall directory", "timeoutsec90s", "descriptionmark", "current boot", "loader entry", "any system", "units", "loader random", "loader update", "service socket", "dump socket", "optionally", "root device", "afalg afinet", "execstophomectl", "home area", "named pipe", "sink service", "sink socket", "upload service", "dynamicuseryes", "sigkilled", "devlog", "timestampingus", "namespace", "sendbuffer8m", "kernel command", "netlink socket", "storage", "descriptionwait", "network", "make", "deviceallow", "reserve", "killer socket", "root file", "measurement", "pcr policy", "tpm pcr", "code", "configuration", "machine id", "barrier", "quota check", "system quota", "after", "random seed", "kernel file", "gpt partition", "kill switch", "nvmetcp", "trigger", "saturday", "persistentyes", "system update", "kernel time", "capsystime", "ntp service", "turn", "files", "device nodes", "srk setup", "device events", "bootshutdown", "change", "manager socket", "descriptiontinc", "proxy server", "linrunner", "descriptiontlp", "tor service", "f etctortorrc", "tpm device", "descriptionudp", "tcpicmpudp", "etcudp2raw", "debug", "swap", "api file", "privatedevices", "home", "root", "runuser", "linux control", "groups", "group", "afnetlink", "locked memory", "limitmemlock0", "usb gadget", "apple", "sliceuser", "descriptionuuid", "compatibility", "typerpcpipefs", "vmsvga", "hypervisor", "usr1", "mgmt appuser", "dac permission", "selinux", "xxx someone", "qemu", "machine tools", "vmware tools", "pidfilerunvpnc", "wacom", "iface d", "dspeed u", "iface", "descriptionwpa", "oracle", "reserved", "wong", "emailaddr", "tunnel protocol", "l2tp", "isps", "russia use", "ipsec", "d optxplico", "b sqlite", "descriptionxrdp", "xrdpoptions", "process", "sesmanoptions", "zpoolimportopts", "an o", "t scrub", "usrbinzpool", "zfs volume", "descriptionzfs", "f restartalways", "remainafterexit", "nmbdoptions", "smbdoptions", "successaction", "winbindoptions", "ck id", "hybrid analysis", "mitre att", "malicious", "sdshared ansi", "default und", "func global", "func local", "object local", "general", "show technique", "ck matrix", "tasksmax33", "empty file", "proxycommand", "checkhostip", "afunix", "afvsock", "allow", "r table", "chkbootcheck", "gplv2 source", "chkbootstyles", "etcissue", "partition", "minimizebest", "mit no", "match", "link", "namepolicykeep", "ethernet link", "kindveth nameve", "kindveth namevb", "keepmasteryes", "dhcpv4", "kindsit name6rd", "ipv4ll", "ipv6ll", "dhcpipv6ra", "dhcpv6", "typeether", "dhcpyes", "usetimezoneyes", "typewlan", "tuntap", "natdhcp", "kindtun namevt", "kind", "originalname", "definedby", "peer", "sopeergroups", "dbus protocol", "dbus name", "exec", "hup signal", "sighup", "dnssec", "sessionid", "seatid", "sleep", "leader", "jobresult", "coredumppid", "coredumpcomm", "junit", "na zapusk", "mikrasiekund", "enhed", "mikrosekunder", "opstart", "jobid", "a rendszer", "ezredmsodpercet", "a rendszernapl", "user manager", "smack", "lunit", "stato", "il processo", "il sistema", "stata", "le processus", "notez que", "jedinica", "zapamtite da", "nova", "jednostka", "prosz zauway", "zwykle wskazuje", "jest", "o processo", "processo", "isso", "inicializao", "journal", "sizelimit", "userid", "prozess", "speicherabbild", "hinweis auf", "programmfehler", "fehler dem", "die systemzeit", "realtime" ], "references": [ "Hunting_B64Engine_DotNetToJScript_Dos.yar", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "apt_sandworm_exim_expl.yar.002", "apt_sandworm_exim_expl.yar.001", "apt_sandworm_exim_expl.yar", "connect.php", "connect.php.002", "connect.php.001", "crypto-miner.js", "eicar", "eicar.001", "eicar.002", "custom.py", "eicar.txt", "expl_cve_2021_40444.yar.001", "expl_cve_2021_40444.yar.002", "getPerms.php", "input.pcap", "list.php", "parent.php", "payload.php", "payload.php.001", "kingdee-erp-rce.yaml", "payload.php.003", "payload.php.002", "payload.php.004", "payload.php.005", "payload.php.006", "payload.php.007", "payload.php.008", "payload.php.010", "payload.php.011", "payload.php.009", "payload.php.012", "payload.php.013", "payload.php.015", "payload.php.016", "payload.php.017", "reverse_tcp.py", "scanner.php", "search.php", "setdb.php", "payload.php.014", "setdb.php.001", "reader.php", "single.php", "resolv.conf", "systemd-update-helper", "90-systemd.preset", "60-flatpak", "app.slice", "background.slice", "README.md", "bluetooth.target", "basic.target", "borgmatic-user.timer", "borgmatic-user.service", "cape.service", "cape-dist.service", "cape-processor.service", "cape-rooter.service", "capsule@.target", "cape-web.service", "clash.service", "colord-session.service", "dbus.socket", "cape-fstab.service", "dbus.service", "dbus-broker.service", "dconf.service", "dirmngr.service", "default.target", "drkonqi-coredump-cleanup.service", "dirmngr.socket", "drkonqi-coredump-cleanup.timer", "drkonqi-coredump-launcher.socket", "drkonqi-sentry-postman.path", "drkonqi-coredump-pickup.service", "drkonqi-sentry-postman.service", "drkonqi-sentry-postman.timer", "drkonqi-coredump-launcher@.service", "dunst.service", "flatpak-oci-authenticator.service", "filter-chain.service", "exit.target", "flatpak-session-helper.service", "fluidsynth.service", "gcr-ssh-agent.socket", "flatpak-portal.service", "gcr-ssh-agent.service", "gnome-keyring-daemon.service", "glib-pacrunner.service", "gnome-keyring-daemon.socket", "gpg-agent-ssh.socket", "gnome-terminal-server.service", "gpg-agent-extra.socket", "gpg-agent.service", "gpg-agent.socket", "gpg-agent-browser.socket", "graphical-session-pre.target", "graphical-session.target", "gssuserproxy.socket", "guacd.service", "gvfs-gphoto2-volume-monitor.service", "gvfs-daemon.service", "gssuserproxy.service", "gvfs-afc-volume-monitor.service", "gvfs-metadata.service", "jack@.service", "guac-web.service", "gvfs-udisks2-volume-monitor.service", "gvfs-mtp-volume-monitor.service", "kde-baloo.service", "keyboxd.service", "kio-fuse.service", "keyboxd.socket", "p11-kit-server.service", "p11-kit-server.socket", "paths.target", "pipewire.socket", "pipewire-pulse.service", "plasma-gmenudbusmenuproxy.service", "pipewire-pulse.socket", "plasma-baloorunner.service", "plasma-kcminit.service", "plasma-dolphin.service", "plasma-kcminit-phase1.service", "plasma-core.target", "plasma-kded.service", "pipewire.service", "plasma-kded6.service", "plasma-kglobalaccel.service", "at-spi-dbus-bus.service", "plasma-krunner.service", "plasma-kscreen.service", "plasma-kscreen-osd.service", "plasma-ksmserver.service", "plasma-ksplash.service", "plasma-ksplash-ready.service", "plasma-ksystemstats.service", "plasma-kwallet-pam.service", "plasma-kwin_wayland.service", "plasma-kwin_x11.service", "plasma-plasmashell.service", "plasma-polkit-agent.service", "plasma-powerdevil.service", "plasma-powerprofile-osd.service", "plasma-restoresession.service", "plasma-workspace.target", "plasma-workspace-wayland.target", "plasma-workspace-x11.target", "plasma-xdg-desktop-portal-kde.service", "plasma-xembedsniproxy.service", "podman.service", "podman.socket", "podman-auto-update.service", "podman-auto-update.timer", "podman-kube@.service", "podman-restart.service", "printer.target", "pulseaudio.service", "pulseaudio.socket", "pulseaudio-x11.service", "session.slice", "shutdown.target", "smartcard.target", "sockets.target", "sound.target", "ssh-agent.service", "suricata.service", "suricata-update.service", "suricata-update.timer", "systemd-exit.service", "systemd-tmpfiles-clean.service", "systemd-tmpfiles-clean.timer", "systemd-tmpfiles-setup.service", "thunar.service", "timers.target", "tracker-xdg-portal-3.service", "tumblerd.service", "wireplumber.service", "wireplumber@.service", "xdg-desktop-autostart.target", "xdg-desktop-portal.service", "xdg-desktop-portal-gtk.service", "xdg-desktop-portal-hyprland.service", "xdg-desktop-portal-rewrite-launchers.service", "xdg-desktop-portal-xapp.service", "xdg-permission-store.service", "xdg-user-dirs-update.service", "xfce4-notifyd.service", "xsettingsd.service", "xdg-document-portal.service", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "defaults.conf", "apparmor.conf", "nvidia", "tlp", "fwupd.shutdown", "mdadm.shutdown", "99-default.preset", "50-zfs.preset", "ibft-rule-generator", "10-arch", "60-flatpak-system-only", "3proxy.service", "apache-tika.service", "apparmor.service", "arch-audit.service", "arch-audit.timer", "NetworkManager-dispatcher.service", "NetworkManager-wait-online.service", "NetworkManager.service", "SUSE-mdadm_env.sh", "ModemManager.service", "3proxy.conf", "archlinux-keyring-wkd-sync.service", "adsl.service", "accounts-daemon.service", "adb.service", "alsa-restore.service", "alsa-state.service", "archlinux-keyring-wkd-sync.timer", "ananicy-cpp.service", "arcolinux-graphical-target.service", "atftpd.service", "audit-rules.service", "auditd.service", "auth-rpcgss-module.service", "autorandr.service", "autorandr-lid-listener.service", "autovt@.service", "avahi-daemon.service", "avahi-daemon.socket", "avahi-dnsconfd.service", "bettercap.service", "betterlockscreen@.service", "blk-availability.service", "blockdev@.target", "bluetooth.service", "bmc-watchdog.service", "bolt.service", "boot-complete.target", "borgmatic.service", "borgmatic.timer", "bpftune.service", "btrfs-scrub@.service", "btrfs-scrub@.timer", "canberra-system-bootup.service", "canberra-system-shutdown.service", "canberra-system-shutdown-reboot.service", "capsule.slice", "capsule@.service", "celery2@.service", "celery@.service", "chkboot.service", "clamav-clamonacc.service", "clamav-daemon.service", "clamav-daemon.socket", "clamav-freshclam.service", "clamav-freshclam-once.service", "clamav-freshclam-once.timer", "clamav-unofficial-sigs.service", "clamav-unofficial-sigs.timer", "clash@.service", "cntlm.service", "colord.service", "configure-printer@.service", "console-getty.service", "container-getty@.service", "containerd.service", "couchdb.service", "cpupower.service", "create_ap.service", "cronie.service", "cryptsetup.target", "cryptsetup-pre.target", "ctrl-alt-del.target", "cups.path", "cups.service", "cups.socket", "cups-lpd.socket", "cups-lpd@.service", "cxl-monitor.service", "darkstat.service", "daxdev-reconfigure@.service", "dbus-org.freedesktop.hostname1.service", "dbus-org.freedesktop.import1.service", "dbus-org.freedesktop.locale1.service", "dbus-org.freedesktop.login1.service", "dbus-org.freedesktop.machine1.service", "dbus-org.freedesktop.portable1.service", "dbus-org.freedesktop.timedate1.service", "debug-shell.service", "dev-hugepages.mount", "dev-mqueue.mount", "dhclient@.service", "dhcpd4.service", "dhcpd6.service", "dirmngr@.service", "dirmngr@.socket", "dm-event.service", "dm-event.socket", "dmraid.service", "dnscrypt-proxy.service", "dnsmasq.service", "docker.service", "docker.socket", "drkonqi-coredump-processor@.service", "e2scrub@.service", "e2scrub_all.service", "e2scrub_all.timer", "e2scrub_fail@.service", "e2scrub_reap.service", "ead.service", "elasticsearch.service", "elasticsearch-keystore.service", "elasticsearch-keystore@.service", "elasticsearch@.service", "emergency.service", "emergency.target", "epmd.service", "epmd.socket", "exabgp.service", "factory-reset.target", "fancontrol.service", "fastnetmon.service", "final.target", "finger.socket", "finger@.service", "first-boot-complete.target", "flatpak-system-helper.service", "freeradius.service", "fsidd.service", "fstrim.service", "fstrim.timer", "ftpd.service", "fwupd.service", "fwupd-offline-update.service", "fwupd-refresh.service", "fwupd-refresh.timer", "geoclue.service", "geoipupdate.service", "geoipupdate.timer", "getty.target", "getty-pre.target", "getty@.service", "git-daemon.socket", "git-daemon@.service", "gnupg-pkcs11-scd-proxy.service", "gpg-agent-browser@.socket", "gpg-agent-extra@.socket", "gpg-agent-ssh@.socket", "gpg-agent@.service", "gpg-agent@.socket", "gpm.path", "gpm.service", "gpsd.service", "gpsd.socket", "gpsdctl@.service", "graphical.target", "greenbone-certdata-sync.service", "greenbone-certdata-sync.timer", "greenbone-feed-sync.service", "greenbone-feed-sync.timer", "greenbone-nvt-sync.service", "greenbone-nvt-sync.timer", "greenbone-scapdata-sync.service", "greenbone-scapdata-sync.timer", "gssproxy.service", "gvmd.service", "halt.target", "healthd.service", "hibernate.target", "hostapd.service", "hostapd@.service", "httpd.service", "hv_fcopy_daemon.service", "hv_kvp_daemon.service", "hv_vss_daemon.service", "hybrid-sleep.target", "i2pd.service", "iiod.service", "initrd.target", "initrd-cleanup.service", "initrd-fs.target", "initrd-parse-etc.service", "initrd-root-device.target", "initrd-root-fs.target", "initrd-switch-root.service", "initrd-switch-root.target", "initrd-udevadm-cleanup-db.service", "initrd-usr-fs.target", "integritysetup.target", "integritysetup-pre.target", "iodined.service", "iodined.socket", "ip2clued.service", "ip6tables.service", "ipmidetectd.service", "ipmiseld.service", "iptables.service", "iscsi.service", "iscsi-init.service", "iscsid.service", "iscsid.socket", "iscsiuio.service", "iscsiuio.socket", "isnsd.service", "isnsd.socket", "iwd.service", "kcptun-server@.service", "kcptun@.service", "kexec.target", "keyboxd@.service", "keyboxd@.socket", "kmod-static-nodes.service", "krb5-kadmind.service", "krb5-kdc.service", "krb5-kpropd.service", "krb5-kpropd.socket", "krb5-kpropd@.service", "lastlog2-import.service", "ldconfig.service", "libvirt-guests.service", "libvirtd.service", "libvirtd.socket", "libvirtd-admin.socket", "libvirtd-ro.socket", "libvirtd-tcp.socket", "libvirtd-tls.socket", "lightdm.service", "lm_sensors.service", "local-fs.target", "local-fs-pre.target", "logrotate.service", "logrotate.timer", "lvm2-lvmpolld.service", "lvm2-lvmpolld.socket", "lvm2-monitor.service", "lxc.service", "lxc-auto.service", "lxc-monitord.service", "lxc-net.service", "lxc@.service", "lxdm.service", "ly.service", "lynis.service", "lynis.timer", "machine.slice", "machines.target", "man-db.service", "man-db.timer", "mariadb.service", "mariadb.socket", "mariadb-extra.socket", "mariadb-extra@.socket", "mariadb@.service", "mariadb@.socket", "mdadm-grow-continue@.service", "mdadm-last-resort@.service", "mdadm-last-resort@.timer", "mdcheck_continue.service", "mdcheck_continue.timer", "mdcheck_start.service", "mdcheck_start.timer", "mdmon@.service", "mdmonitor.service", "mdmonitor-oneshot.service", "mdmonitor-oneshot.timer", "memavaild.service", "mkinitcpio-generate-shutdown-ramfs.service", "modprobe@.service", "mongodb.service", "multi-user.target", "mysql.service", "mysqld.service", "named.service", "nbd.service", "nbd@.service", "ndctl-monitor.service", "neo4j.service", "netavark-dhcp-proxy.service", "netavark-dhcp-proxy.socket", "netdata.service", "network.target", "network-online.target", "network-pre.target", "nfs-blkmap.service", "nfs-client.target", "nfs-idmapd.service", "nfs-mountd.service", "nfs-server.service", "nfs-utils.service", "nfsdcld.service", "nfsv4-exportd.service", "nfsv4-server.service", "nftables.service", "nm-priv-helper.service", "nmb.service", "nohang.service", "nohang-desktop.service", "nscd.service", "nss-lookup.target", "nss-user-lookup.target", "ntpd.service", "ntpdate.service", "nvidia-hibernate.service", "nvidia-persistenced.service", "nvidia-powerd.service", "nvidia-resume.service", "nvidia-suspend.service", "nvmefc-boot-connections.service", "nvmf-autoconnect.service", "nvmf-connect.target", "nvmf-connect-nbft.service", "nvmf-connect@.service", "pacrunner.service", "ostree-boot-complete.service", "pacman-filesdb-refresh.timer", "pcscd.service", "passim.service", "pcscd.socket", "packagekit-offline-update.service", "phoronix-result-server.service", "paccache.timer", "plymouth-kexec.service", "pamac-cleancache.timer", "plymouth-quit.service", "partimaged.service", "plymouth-poweroff.service", "plymouth-read-write.service", "plymouth-quit-wait.service", "paccache.service", "plymouth-switch-root-initramfs.service", "ostree-remount.service", "plymouth-switch-root.service", "openvpn-client@.service", "podman-clean-transient.service", "pamac-offline-upgrade.service", "polkit.service", "postfix.service", "pam_namespace.service", "poweroff.target", "ppp@.service", "opensnitchd.service", "proc-fs-nfsd.mount", "proc-sys-fs-binfmt_misc.automount", "proc-sys-fs-binfmt_misc.mount", "phoromatic-server.service", "ptunnel.service", "openvpn-server@.service", "plymouth-halt.service", "pamac-cleancache.service", "plymouth-reboot.service", "ostree-state-overlay@.service", "ostree-finalize-staged.service", "postgresql.service", "phoromatic-client.service", "pamac-daemon.service", "pacman-filesdb-refresh.service", "packagekit.service", "pkgfile-update.service", "pkgfile-update.timer", "plymouth-start.service", "ostree-prepare-root.service", "ostree-finalize-staged.path", "privoxy.service", "ostree-finalize-staged-hold.service", "qemu-guest-agent.service", "quotaon.service", "quotaon-root.service", "quotaon@.service", "rabbitmq.service", "ras-mc-ctl.service", "rasdaemon.service", "rathole@.service", "ratholec@.service", "ratholes@.service", "rc-local.service", "rdnssd@.service", "reboot.target", "redis.service", "redis-sentinel.service", "reflector.service", "reflector.timer", "remote-cryptsetup.target", "remote-fs.target", "remote-fs-pre.target", "remote-veritysetup.target", "rescue.service", "rescue.target", "rfkill-block@.service", "rfkill-unblock@.service", "rlogin.socket", "rlogin@.service", "rpc-gssd.service", "rpc-statd.service", "rpc-statd-notify.service", "rpc_pipefs.target", "rpcbind.service", "rpcbind.socket", "rpcbind.target", "rsh.socket", "rsh@.service", "rsyncd.service", "rsyncd.socket", "rsyncd@.service", "rtkit-daemon.service", "runlevel0.target", "runlevel1.target", "runlevel2.target", "runlevel3.target", "runlevel4.target", "runlevel5.target", "runlevel6.target", "rwhod.service", "samba.service", "sddm.service", "seatd.service", "sensord.service", "serial-getty@.service", "shadow.service", "shadow.timer", "sigpwr.target", "slapd.service", "sleep.target", "slices.target", "smartd.service", "smb.service", "sndiod.service", "snmpd.service", "snmptrapd.service", "snort@.service", "snort@1000.service", "soft-reboot.target", "ssh-access.target", "sshd.service", "sshdgenkeys.service", "sshuttle.service", "sslh.service", "sslh-fork.service", "sslh-select.service", "storage-target-mode.target", "stunnel.service", "sudo_logsrvd.service", "suspend.target", "suspend-then-hibernate.target", "svnserve.service", "swap.target", "sys-fs-fuse-connections.mount", "sys-kernel-config.mount", "sys-kernel-debug.mount", "sys-kernel-tracing.mount", "sysinit.target", "syslog.socket", "system-systemd\\x2dcryptsetup.slice", "system-systemd\\x2dveritysetup.slice", "system-update.target", "system-update-cleanup.service", "system-update-pre.target", "systemd-ask-password-console.path", "systemd-ask-password-console.service", "systemd-ask-password-plymouth.path", "systemd-ask-password-plymouth.service", "systemd-ask-password-wall.path", "systemd-ask-password-wall.service", "systemd-backlight@.service", "systemd-battery-check.service", "systemd-binfmt.service", "systemd-bless-boot.service", "systemd-boot-check-no-failures.service", "systemd-boot-random-seed.service", "systemd-boot-update.service", "systemd-bootctl.socket", "systemd-bootctl@.service", "systemd-bsod.service", "systemd-confext.service", "systemd-coredump.socket", "systemd-coredump@.service", "systemd-creds.socket", "systemd-creds@.service", "systemd-firstboot.service", "systemd-fsck-root.service", "systemd-fsck@.service", "systemd-growfs-root.service", "systemd-growfs@.service", "systemd-halt.service", "systemd-hibernate.service", "systemd-hibernate-resume.service", "systemd-homed.service", "systemd-homed-activate.service", "systemd-homed-firstboot.service", "systemd-hostnamed.service", "systemd-hostnamed.socket", "systemd-hwdb-update.service", "systemd-hybrid-sleep.service", "systemd-importd.service", "systemd-initctl.service", "systemd-initctl.socket", "systemd-journal-catalog-update.service", "systemd-journal-flush.service", "systemd-journal-gatewayd.service", "systemd-journal-gatewayd.socket", "systemd-journal-remote.service", "systemd-journal-remote.socket", "systemd-journal-upload.service", "systemd-journald.service", "systemd-journald.socket", "systemd-journald-audit.socket", "systemd-journald-dev-log.socket", "systemd-journald-varlink@.socket", "systemd-journald@.service", "systemd-journald@.socket", "systemd-kexec.service", "systemd-localed.service", "systemd-logind.service", "systemd-machine-id-commit.service", "systemd-machined.service", "systemd-modules-load.service", "systemd-network-generator.service", "systemd-networkd.service", "systemd-networkd.socket", "systemd-networkd-persistent-storage.service", "systemd-networkd-wait-online.service", "systemd-networkd-wait-online@.service", "systemd-nspawn@.service", "systemd-oomd.service", "systemd-oomd.socket", "systemd-pcrextend.socket", "systemd-pcrextend@.service", "systemd-pcrfs-root.service", "systemd-pcrfs@.service", "systemd-pcrlock.socket", "systemd-pcrlock-file-system.service", "systemd-pcrlock-firmware-code.service", "systemd-pcrlock-firmware-config.service", "systemd-pcrlock-machine-id.service", "systemd-pcrlock-make-policy.service", "systemd-pcrlock-secureboot-authority.service", "systemd-pcrlock-secureboot-policy.service", "systemd-pcrlock@.service", "systemd-pcrmachine.service", "systemd-pcrphase.service", "systemd-pcrphase-initrd.service", "systemd-pcrphase-sysinit.service", "systemd-portabled.service", "systemd-poweroff.service", "systemd-pstore.service", "systemd-quotacheck.service", "systemd-quotacheck-root.service", "systemd-quotacheck@.service", "systemd-random-seed.service", "systemd-reboot.service", "systemd-remount-fs.service", "systemd-repart.service", "systemd-resolved.service", "systemd-rfkill.service", "systemd-rfkill.socket", "systemd-soft-reboot.service", "systemd-storagetm.service", "systemd-suspend.service", "systemd-suspend-then-hibernate.service", "systemd-sysctl.service", "systemd-sysext.service", "systemd-sysext.socket", "systemd-sysext@.service", "systemd-sysupdate.service", "systemd-sysupdate.timer", "systemd-sysupdate-reboot.service", "systemd-sysupdate-reboot.timer", "systemd-sysusers.service", "systemd-time-wait-sync.service", "systemd-timedated.service", "systemd-timesyncd.service", "systemd-tmpfiles-setup-dev.service", "systemd-tmpfiles-setup-dev-early.service", "systemd-tpm2-setup.service", "systemd-tpm2-setup-early.service", "systemd-udev-trigger.service", "systemd-udevd.service", "systemd-udevd-control.socket", "systemd-udevd-kernel.socket", "systemd-update-done.service", "systemd-update-utmp.service", "systemd-update-utmp-runlevel.service", "systemd-user-sessions.service", "systemd-userdbd.service", "systemd-userdbd.socket", "systemd-vconsole-setup.service", "systemd-vmspawn@.service", "systemd-volatile-root.service", "systemd-zram-setup@.service", "talk.service", "talk.socket", "teamd@.service", "telnet.socket", "telnet@.service", "time-set.target", "time-sync.target", "tinc.service", "tinc@.service", "tinyproxy.service", "tlp.service", "tmp.mount", "tor.service", "tpm2.target", "udisks2.service", "udp2raw@.service", "ufw.service", "uksmd.service", "umount.target", "unbound.service", "updatedb.service", "updatedb.timer", "upower.service", "usb-gadget.target", "usb_modeswitch@.service", "usbipd.service", "usbmuxd.service", "user.slice", "user-runtime-dir@.service", "user@.service", "uuidd.service", "uuidd.socket", "var-lib-machines.mount", "var-lib-nfs-rpc_pipefs.mount", "vboxdrmclient.path", "vboxdrmclient.service", "vboxservice.service", "veritysetup.target", "veritysetup-pre.target", "virt-guest-shutdown.target", "virtchd.service", "virtchd.socket", "virtchd-admin.socket", "virtchd-ro.socket", "virtinterfaced.service", "virtinterfaced.socket", "virtinterfaced-admin.socket", "virtinterfaced-ro.socket", "virtlockd.service", "virtlockd.socket", "virtlockd-admin.socket", "virtlogd.service", "virtlogd.socket", "virtlogd-admin.socket", "virtlxcd.service", "virtlxcd.socket", "virtlxcd-admin.socket", "virtlxcd-ro.socket", "virtnetworkd.service", "virtnetworkd.socket", "virtnetworkd-admin.socket", "virtnetworkd-ro.socket", "virtnodedevd.service", "virtnodedevd.socket", "virtnodedevd-admin.socket", "virtnodedevd-ro.socket", "virtnwfilterd.service", "virtnwfilterd.socket", "virtnwfilterd-admin.socket", "virtnwfilterd-ro.socket", "virtproxyd.service", "virtproxyd.socket", "virtproxyd-admin.socket", "virtproxyd-ro.socket", "virtproxyd-tcp.socket", "virtproxyd-tls.socket", "virtqemud.service", "virtqemud.socket", "virtqemud-admin.socket", "virtqemud-ro.socket", "virtsecretd.service", "virtsecretd.socket", "virtsecretd-admin.socket", "virtsecretd-ro.socket", "virtstoraged.service", "virtstoraged.socket", "virtstoraged-admin.socket", "virtstoraged-ro.socket", "virtvboxd.service", "virtvboxd.socket", "virtvboxd-admin.socket", "virtvboxd-ro.socket", "vmtoolsd.service", "vmware-vmblock-fuse.service", "vpnc@.service", "wacom-inputattach@.service", "wg-quick.target", "wg-quick@.service", "winbind.service", "wondershaper.service", "wpa_supplicant.service", "wpa_supplicant-nl80211@.service", "wpa_supplicant-wired@.service", "wpa_supplicant@.service", "xfs_scrub@.service", "xfs_scrub_all.service", "xfs_scrub_all.timer", "xfs_scrub_fail@.service", "xl2tpd.service", "xplico.service", "xrdp.service", "xrdp-sesman.service", "yate.service", "zfs.target", "zfs-import.service", "zfs-import.target", "zfs-import-cache.service", "zfs-import-scan.service", "zfs-load-key.service", "zfs-mount.service", "zfs-scrub-monthly@.timer", "zfs-scrub-weekly@.timer", "zfs-scrub@.service", "zfs-share.service", "zfs-trim-monthly@.timer", "zfs-trim-weekly@.timer", "zfs-trim@.service", "zfs-volume-wait.service", "zfs-volumes.target", "zfs-zed.service", "plymouth.conf", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "keyboxd@etc-pacman.d-gnupg.socket", "dirmngr@etc-pacman.d-gnupg.socket", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "gpg-agent@etc-pacman.d-gnupg.socket", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "50-rc_keymap.conf", "10-defaults.conf", "10-login-barrier.conf", "20-systemd-userdb.conf", "20-systemd-ssh-proxy.conf", "iptables-flush", "cpupower", "chkboot-bootcheck", "10-root.conf", "30-root-verity-sig.conf", "20-root-verity.conf", "80-systemd-timesync.list", "80-6rd-tunnel.link", "80-container-ve.network", "80-container-vb.network", "80-container-vz.link", "80-6rd-tunnel.network", "80-container-vz.network", "80-auto-link-local.network.example", "80-ethernet.network.example", "80-container-host0.network", "80-iwd.link", "80-container-vb.link", "80-vm-vt.link", "80-vm-vt.network", "80-wifi-adhoc.network", "80-wifi-ap.network.example", "80-wifi-station.network.example", "80-container-ve.link", "89-ethernet.network.example", "99-default.link", "dbus-broker.catalog", "dbus-broker-launch.catalog", "systemd.be.catalog", "systemd.be@latin.catalog", "systemd.da.catalog", "systemd.bg.catalog", "systemd.hu.catalog", "systemd.catalog", "systemd.it.catalog", "systemd.fr.catalog", "systemd.ko.catalog", "systemd.hr.catalog", "systemd.pl.catalog", "systemd.pt_BR.catalog", "systemd.ru.catalog", "systemd.sr.catalog", "systemd.zh_CN.catalog", "systemd.de.catalog", "systemd.zh_TW.catalog", "expl_cve_2021_40444.yar" ], "public": 1, "adversary": "Chinese Speaking", "targeted_countries": [], "malware_families": [ { "id": "RemainAfterExit", "display_name": "RemainAfterExit", "target": null }, { "id": "NMBDOPTIONS", "display_name": "NMBDOPTIONS", "target": null }, { "id": "SMBDOPTIONS", "display_name": "SMBDOPTIONS", "target": null }, { "id": "SuccessAction", "display_name": "SuccessAction", "target": null }, { "id": "WINBINDOPTIONS", "display_name": "WINBINDOPTIONS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "YARA": 16, "CVE": 4, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "domain": 102, "URL": 16, "email": 9, "hostname": 4, "CIDR": 2 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e188af5a8a73c746708a1c", "name": "Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts | Mandiant", "description": "", "modified": "2024-03-01T07:50:07.282000", "created": "2024-03-01T07:50:07.282000", "tags": [ "cve202421893", "bushwalk", "ivanti connect", "unc5325", "mandiant", "pithook", "ivanti", "secure", "variant", "ttps", "entity", "python", "next", "download", "saml", "pitstop" ], "references": [ "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SAML", "display_name": "SAML", "target": null }, { "id": "BUSHWALK", "display_name": "BUSHWALK", "target": null }, { "id": "PITSTOP", "display_name": "PITSTOP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Industrial", "Technology", "Telecommunication" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 14, "URL": 1, "YARA": 2, "domain": 6 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 844, "modified_text": "774 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cf33807cd5642117bb0752", "name": "Flatlined: Analyzing Pulse Secure Firmware and Bypassing Integrity Checking - Eclypsium | Supply Chain Security for the Modern Enterprise", "description": "As part of a research project, Eclypsium discovered a range of vulnerabilities exposed during the reverse engineering of Pulse Secure devices from Ivanti, one of the world\u2019s leading black box vendors.", "modified": "2024-02-16T10:05:52.749000", "created": "2024-02-16T10:05:52.749000", "tags": [ "ivanti", "pulse secure", "python script", "emba", "february", "fortinet", "ivanti connect", "linux", "april", "january", "back", "import", "phase", "python", "august" ], "references": [ "https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EMBA", "display_name": "EMBA", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 843, "modified_text": "787 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62991c41f215e8bbb4034237", "name": "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control | CISA", "description": "The US government's Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies that malicious cyber actors are exploiting two vulnerabilities in unpatched VMware products. the following:", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T20:23:29.737000", "tags": [ "godzilla", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "april", "cisa", "cve202222954", "ip address", "one access", "dingo jspy", "cve202222960", "threat actor", "victim", "get request", "june" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Godzilla", "display_name": "Godzilla", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "apextechnology", "id": "85564", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_85564/resized/80/avatar_e0767b85c3.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 5, "URL": 4, "YARA": 1, "domain": 4, "hostname": 1 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "view.js", "npm-prune.md", "dirmngr@.socket", "npm-sbom.md", "plymouth-quit-wait.service", "format-search-stream.js", "kde-baloo.service", "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b", "nfs-server.service", "systemd-sysusers.service", "pamac-cleancache.service", "shadow.service", "payload.php.009", "no_ads.txt", "ratholec@.service", "quotaon@.service", "compare-loose.js", "plymouth-switch-root.service", "systemd-bsod.service", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "modules.isapnpmap", "nfsv4-exportd.service", "libvirt-guests.service", "SeTconfig (2)", "passim.service", "telnet@.service", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "defaults.conf", "ip2clued.service", "hostapd@.service", "dbus-org.freedesktop.portable1.service", "50-zfs.preset", "set.js", "autovt@.service", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "nss-lookup.target", "plasma-restoresession.service", "makedevs.sh", "clean.js", "simplify.js", "import_duplicity.py", "plymouth-switch-root-initramfs.service", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "ping.js", "pacote", "systemd-homed-activate.service", "SeTpartitions", "vboxdrmclient.path", "plasma-xembedsniproxy.service", "chkboot.service", "xrdp.service", "80-container-vb.link", "open-url-prompt.js", "drecurse (2).py", "netavark-dhcp-proxy.socket", "repo.js", "syslinux (2).cfg", "fuse.py", "atftpd.service", "libvirtd-tcp.socket", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "ls.py", "re.js", "rsh@.service", "eicar.001", "libc6-i386_2.24-9ubuntu2_amd64.info", "jack@.service", "systemd-exit.service", "e2scrub@.service", "a.txt:ads.txt", "ipmiseld.service", "graphical-session-pre.target", "repo.py", "udisks2.service", "at-spi-dbus-bus.service", "comparator.js", "systemd-remount-fs.service", "plasma-gmenudbusmenuproxy.service", "storage-target-mode.target", "docs.js", "OpenSSLConfigVersion.cmake", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "sys-kernel-config.mount", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations", "tlp.service", "MozillaUpdateLock-7A4D7A8EFFB43502", "mariadb@.socket", "npm-doctor.md", "random.py", "cpupower.service", "murmur2", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "systemd-pcrlock-file-system.service", "configure-printer@.service", "systemd-pstore.service", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "postgresql.service", "clamav-clamonacc.service", "NetworkManager-dispatcher.service", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "systemd-reboot.service", "umount.target", "80-iwd.link", "isnsd.socket", "ipmidetectd.service", "80-container-host0.network", "yara.pc", "profile (2)", "services (2)", "virtproxyd.service", "iterator.js", "systemd-boot-update.service", "proc-sys-fs-binfmt_misc.mount", "drkonqi-coredump-pickup.service", "quotaon-root.service", "80-vm-vt.link", ".X0-lock", "man-db.timer", "nm-cloud-setup.service", "systemd-tmpfiles-clean.timer", "nfs-utils.service", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "outdated.js", "coerce.js", "libc6-i386_2.23-0ubuntu3_amd64.url", "kingdee-erp-rce.yaml", "systemd-volatile-root.service", "npm-ping.md", "get-workspaces.js", "libc6-i386_2.27-3ubuntu1_amd64.info", "options.py", "xdg-permission-store.service", ".zcompdump-m1904-5.9", "gnome-keyring-daemon.service", "list.php", "celery@.service", "pkg.js", "patch.js", "var-lib-nfs-rpc_pipefs.mount", "pam_namespace.service", "to-comparators.js", "vint.py", "systemd-pcrlock.socket", "glib-pacrunner.service", "systemd-oomd.socket", "netdata.service", "systemd-time-wait-sync.service", "ead.service", "systemd.pl.catalog", "systemd-initctl.socket", "prerelease.js", "gte.js", "openmachine.rc", "empty (3)", "FDhelp (2)", "runlevel1.target", "80-wifi-station.network.example", "arch-audit.service", "systemd-journald@.service", "nopartHELP (2)", "SeTfull", "INSNFS", "npmrc", "plasma-kglobalaccel.service", "krb5-kadmind.service", "rcompare.js", "sensord.service", "checkout_info.py", "20-systemd-ssh-proxy.conf", "usb-gadget.target", "sys-kernel-tracing.mount", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "fdisk", "80-6rd-tunnel.link", "wondershaper.service", "krb5-kpropd.socket", "npm-outdated.md", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "payload.php.013", "shadow.timer", "shells", "virtchd.socket", "virtlxcd-admin.socket", "libc6-i386_2.23-0ubuntu10_amd64.info", "empty.lock~", "dbus.socket", "libc6-i386_2.13-0ubuntu13_amd64.info", "systemd-pcrphase-sysinit.service", "60-flatpak", "gpg-agent-browser@etc-pacman.d-gnupg.socket", "proc-sys-fs-binfmt_misc.automount", "runlevel0.target", "elasticsearch-keystore@.service", "wpa_supplicant-wired@.service", "payload.php.004", "web-auth.js", "stop.js", "SeTkeymap", "gpg-agent-extra@etc-pacman.d-gnupg.socket", "removal.md", "ip6tables.service", "openssl.pc", "vfs.py", "systemd-binfmt.service", "passwd (2)", "85-nm-unmanaged.rules", "package-lock-json.md", "plymouth-reboot.service", "dunst.service", "iscsiuio.service", "lm_sensors.service", "flatpak-oci-authenticator.service", "meta.py", "ctrl-alt-del.target", "systemd-journald.service", "plasma-ksplash.service", "iodined.socket", "remote-cryptsetup.target", "SeTfdHELP", "dhcpd6.service", "systemd-tmpfiles-setup-dev.service", "SeTPKG", "cntlm.service", "systemd-udev-trigger.service", "virtlockd-admin.socket", "winbind.service", "systemd-journal-gatewayd.socket", "systemd-sysupdate.service", "zfs-import.target", "setup", "systemd-random-seed.service", "mdcheck_continue.service", "npm-unpublish.md", "sshuttle.service", "team.js", "udp2raw@.service", "npm-publish.md", "npm-link.md", "brc", "plasma-krunner.service", "initrd.target", "validate-engines.js", "memavaild.service", "pacrunner.service", "npx.md", "plasma-powerdevil.service", "plasma-plasmashell.service", "libc6-i386_2.28-0ubuntu1_amd64.url", "systemd.sr.catalog", "save.py", "greenbone-scapdata-sync.timer", "networks (2)", "index.py", "npm-edit.md", "pulseaudio.service", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "libc6-i386_2.28-10_amd64.url", "shadow", "libc6-i386_2.27-3ubuntu1_amd64.url", "systemd-pcrlock-secureboot-policy.service", "first-boot-complete.target", "systemd-journald@.socket", "npm.md", "containerd.service", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "rpc-statd-notify.service", "rm.py", "search.js", "user-runtime-dir@.service", "web.py", "systemd-confext.service", "virtproxyd-ro.socket", "pkgfile-update.timer", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "npm-profile.md", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "smb.service", "dirmngr.service", "systemd-growfs-root.service", "apache-tika.service", "usbmuxd.service", "issue (2)", "libnm-wwan.la", "ananicy-cpp.service", "blk-availability.service", "termcap (2)", "x.jnlp", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "systemd-sysupdate.timer", "getty@.service", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "reboot.target", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "gvfs-daemon.service", "systemd-oomd.service", "lt.js", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "smartcard.target", "guacd.service", "apt_sandworm_exim_expl.yar", "systemd-zram-setup@.service", "dconf.service", "borgmatic.timer", "samba.service", "INSCD", "install-test.js", "range.js", "fwupd-offline-update.service", "systemd-udevd-kernel.socket", "cronie.service", "mdcheck_start.service", "greenbone-feed-sync.service", "npm-login.md", "sbom-spdx.js", "npm-install-test.md", "systemd-networkd.socket", "systemd-pcrlock-machine-id.service", "npm-diff.md", "profile", "systemd-soft-reboot.service", "graphical.target", "npm-bugs.md", "bugs.js", "systemd-tmpfiles-setup.service", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "plasma-polkit-agent.service", "systemd-udevd.service", "cli-entry.js", "SeTnopart", "libc6-i386_2.4-1ubuntu12_amd64.url", "brc (2)", "systemd-ask-password-console.service", "dbus-broker.catalog", "machine.slice", "sleep.target", "npm-start.md", "fsck.ext2", "snmpd.service", "mysql.service", "libc6-i386_2.5-0ubuntu14_amd64.url", "rpcbind.socket", "podman-kube@.service", "glob", "fwupd.service", "lynis.service", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661da0b063c895fc2d0a78dc", "filesize", "io.py", "kcptun-server@.service", "systemd-journald-dev-log.socket", "systemd-vmspawn@.service", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "INShd (2)", "hostapd.service", "installed-shallow.js", "run-script.js", "arborist-cmd.js", "libc6-i386_2.7-10ubuntu3_amd64.info", "colord-session.service", "gpg-agent-extra.socket", "exec.js", "lvm2-monitor.service", "virtnwfilterd.socket", "libc6-i386_2.15-0ubuntu10_amd64.url", "80-vm-vt.network", "nm-shared.xml", "install-ci-test.js", "systemd-sysext.service", "std", "systemd-coredump@.service", "removepkg", "modules.dep", "systemd-ask-password-plymouth.service", "drkonqi-coredump-processor@.service", "passwd", "queryable.js", "systemd-pcrfs@.service", "libc6-i386_2.19-0ubuntu6_amd64.info", "zfs-volumes.target", "sshd.service", "initrd-switch-root.service", "drkonqi-coredump-cleanup.service", "npm-token.md", "developers.md", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "sshdgenkeys.service", "systemd-bootctl.socket", "talk.service", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "plasma-ksmserver.service", "log-file.js", "wg-quick.target", "npm-org.md", "stars.js", "libc6-i386_2.23-0ubuntu3_amd64.info", "basic.target", "80-wifi-ap.network.example", "gssuserproxy.service", "dev-mqueue.mount", "plymouth-poweroff.service", "80-container-ve.network", "hosts (2)", "virtlockd.service", "semver.js", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "celery2@.service", "betterlockscreen@.service", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "remote-fs-pre.target", "libc6-i386_2.19-18+deb8u10_amd64.url", "paccache.service", "git-daemon@.service", "virtnwfilterd-ro.socket", "60-flatpak-system-only", "plymouth-start.service", "alsa-state.service", "stage2 (3)", "cache.js", "systemd-quotacheck@.service", "INSdir", "npm-stars.md", "plasma-ksystemstats.service", "pamac-daemon.service", "virtchd-admin.socket", "systemd-backlight@.service", "motd (2)", "SeTswap", "cfdisk", "libvirtd-ro.socket", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "plymouth-quit.service", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "SeTmedia (2)", "qrcode-terminal", "imurmurhash.min.js", "migrate (2).sh", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "podman-clean-transient.service", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "sysinit.target", "a.txt", "gc (2).py", "gc.py", "systemd-userdbd.socket", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "virtnodedevd-admin.socket", "lifecycle-cmd.js", "network", "systemd-hwdb-update.service", "systemd-update-utmp.service", "libc6-i386_2.17-0ubuntu5_amd64.info", "capsule@.target", "rescan-scsi-bus", "dbus-org.freedesktop.timedate1.service", "tinyproxy.service", "libc6-i386_2.19-0ubuntu6_amd64.url", "gvfs-metadata.service", "bmc-watchdog.service", "sockets.target", "timers.js", "stage2 (2)", "bloom (2).py", "systemd-pcrlock-secureboot-authority.service", "setdb.php.001", "postfix.service", "closemachine.rc", "dialogrc", "mdadm-last-resort@.timer", "mux.py", "hosts", "libvirtd.service", "systemd-networkd-wait-online@.service", "session.slice", "eq.js", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "pamac-cleancache.timer", "apparmor.conf", "gcr-ssh-agent.service", "https://hybrid-analysis.com/sample/479a0170df010c5eb742ff1b8740a2ccf381df44c8a919c95d6e38685278e78a/661da5c768340c1e25092cb2", "help.py", "integritysetup-pre.target", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "virtinterfaced-ro.socket", "libc6-i386_2.28-0ubuntu1_amd64.info", "payload.php.005", "teamd@.service", "graphical-session.target", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "rsyncd.socket", "virtqemud-ro.socket", "package-spec.md", "archlinux-keyring-wkd-sync.service", "initrd-usr-fs.target", "slices.target", "hybrid-sleep.target", "pcscd.service", "nvidia-powerd.service", "systemd-network-generator.service", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "rathole@.service", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "dnscrypt-proxy.service", "gvfs-afc-volume-monitor.service", "reify-output.js", "exit.target", "libnm-device-plugin-team.la", "virtvboxd-admin.socket", "syslog.conf", "makedevs (2).sh", "nfs-client.target", "npm-restart.md", "podman-auto-update.timer", "npm-access.md", "virtproxyd-admin.socket", "suspend-then-hibernate.target", "ostree-prepare-root.service", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "path.py", "arch-audit.timer", "systemd-machine-id-commit.service", "b3336837578", "redis.service", "memtest.py", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "npm-logout.md", "edit.js", "validate-lockfile.js", "cape-rooter.service", "update-notifier.js", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a", "cryptsetup-pre.target", "halt.target", "geoipupdate.service", "index.js", "xdg-desktop-portal-hyprland.service", "80-auto-link-local.network.example", "group", "systemd.ko.catalog", "mariadb.socket", "INSfd", "nbd@.service", "restart.js", "quotaon.service", "pacman-filesdb-refresh.service", "getty-pre.target", "systemd-sysext.socket", "xdg-desktop-autostart.target", "zfs-mount.service", "cape-web.service", "cryptsetup.target", "poweroff.target", "99-default.preset", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "on.py", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "libc6-i386_2.31-0ubuntu6_amd64.url", "updatedb.timer", "libc6-i386_2.21-0ubuntu4_amd64.info", "inittab", "gnupg-pkcs11-scd-proxy.service", "shutdown.target", "npm-team.md", "packagekit.service", "PROMPThelp", "mdmonitor-oneshot.service", "auth.js", "SeTDOS (2)", "LICENSE", "greenbone-nvt-sync.timer", ".X1-lock", "p11-kit-server.socket", "audit-error.js", "ld.so.conf", "dbus-broker.service", "gvfs-gphoto2-volume-monitor.service", "fwupd-refresh.service", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "styles.css", "systemd-journald.socket", "systemd.fr.catalog", "libc6-i386_2.19-10ubuntu2_amd64.info", "daxdev-reconfigure@.service", "healthd.service", "client.py", "autorandr.service", "kmod-static-nodes.service", "libnm-device-plugin-ovs.la", "sys-fs-fuse-connections.mount", "pamac-offline-upgrade.service", "completion.js", "is-windows.js", "gvfs-udisks2-volume-monitor.service", "margin.py", "version (2).py", "__init__.py", "drkonqi-sentry-postman.timer", "systemd-importd.service", "networks", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "cups.service", "ab.1", "gpg-agent@.service", "hashsplit.py", "systemd-ask-password-wall.service", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/", "OpenSSLConfig.cmake", "connect.php.001", "darkstat.service", "zfs-trim-monthly@.timer", "prune_older.py", "snort@1000.service", "nfs-idmapd.service", "libnm.la", "npm-explore.md", "libc6-i386_2.28-10_amd64.symbols", "payload.php.006", "systemd-poweroff.service", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "fsck (2).ext2", "npm-version.md", "systemd-ask-password-console.path", "network-pre.target", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "rpcbind.service", "updatedb.service", "pulse-till-done.js", "npm-unstar.md", "emergency.target", "ostree-state-overlay@.service", "gpg-agent@.socket", "zfs-load-key.service", "nfs-mountd.service", "setdb.php", "systemd-networkd-wait-online.service", "virtchd.service", "completion.sh", "std (2)", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "package.json", "on__server.py", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "lxc@.service", "ostree-finalize-staged-hold.service", "reverse_tcp.py", "systemd-update-helper", "dbus.service", "npm-stop.md", "chkboot-bootcheck", "help-search.js", "host.conf", "plasma-kwin_x11.service", "npm-root.md", "libnm-device-plugin-adsl.la", "systemd-user-sessions.service", "mtools (2).conf", "virtlxcd.socket", "pipewire.socket", "systemd.da.catalog", "network-online.target", "systemd-timesyncd.service", "rtkit-daemon.service", "Hunting_B64Engine_DotNetToJScript_Dos.yar", "zfs-volume-wait.service", "dedupe.js", "3proxy.service", "plasma-kcminit-phase1.service", "nohang-desktop.service", ".zcompdump", "console-getty.service", "virtproxyd-tcp.socket", "system-update-pre.target", "elasticsearch-keystore.service", "base-command.js", "gpsd.socket", "zfs-trim@.service", "systemd-journal-catalog-update.service", "sys-kernel-debug.mount", "modules.parportmap", "pcmcia", "suricata-update.timer", "tar.js", "xfs_scrub_all.timer", "dirmngr@.service", "greenbone-certdata-sync.service", "yate.service", "ftpd.service", "plasma-dolphin.service", "guac-web.service", "npm-audit.md", "config.md", "virtlxcd-ro.socket", "virtsecretd-admin.socket", "rsh.socket", "SeTpartitions (2)", "clamav-freshclam-once.service", "SeTmedia", "crypto-miner.js", "systemd.bg.catalog", "systemd-pcrphase.service", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "drkonqi-coredump-cleanup.timer", "lynis.timer", "test.js", "INSfd (2)", "shadow (2)", "soft-reboot.target", "features.py", "systemd-resolved.service", "systemd-journald-varlink@.socket", "expl_cve_2021_40444.yar.002", "scope.md", "drkonqi-sentry-postman.path", "clamav-unofficial-sigs.timer", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "display.js", "man-db.service", "rpc_pipefs.target", "NetworkManager.service", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "org.js", "APT_Backdoor_PS1_BASICPIPESHELL_1.yar", "npm-owner.md", "time-sync.target", "???? ????????.txt", "systemd-networkd.service", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "nmb.service", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "bloom.py", "rpc-gssd.service", "systemd-hibernate.service", "iptables.service", "systemd-pcrphase-initrd.service", "logrotate.service", "canberra-system-bootup.service", "virtinterfaced.service", "gtr.js", "systemd-logind.service", "npm-adduser.md", "expl_cve_2021_40444.yar.001", "systemd-coredump.socket", "nss-user-lookup.target", "plasma-kscreen-osd.service", "link.js", "keyboxd.socket", "uninstall.js", "pcscd.socket", "empty.exe", "migrate.sh", "accounts-daemon.service", "https://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-code", "parse.js", "libc6-i386_2.7-10ubuntu3_amd64.url", "libc6-i386_2.29-0ubuntu2_amd64.info", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "virtlockd.socket", "alsa-restore.service", "couchdb.service", "80-systemd-timesync.list", "neo4j.service", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "systemd-tmpfiles-clean.service", "paths.target", "color-support", "gpg-agent-ssh@.socket", "npm-help.md", "systemd-firstboot.service", "vt100", "plasma-workspace-wayland.target", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "git.py", "elasticsearch.service", "systemd-storagetm.service", "systemd-suspend-then-hibernate.service", "pipewire.service", "npm-ls.md", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "serial-getty@.service", "notes.txt", "itl-logo (2).txt", "borgmatic-user.service", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "mdmon@.service", "installed-deep.js", "fsck.ext3", "plasma-xdg-desktop-portal-kde.service", "npm-query.md", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "libc6-i386_2.23-0ubuntu11_amd64.url", "virtnetworkd-ro.socket", "neq.js", "cmp.js", "did-you-mean.js", "empty (2)", "zfs-scrub@.service", "time-set.target", "capsule.slice", "systemd-battery-check.service", "npm-search.md", "cape-processor.service", "clash.service", "access.js", "systemd-journal-remote.service", "pkgtool (2)", "payload.php.015", "gssuserproxy.socket", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "npm-pkg.md", "50-rc_keymap.conf", "gvmd.service", "mdcheck_continue.timer", "pipewire-pulse.socket", "lte.js", "lightdm.service", "systemd-repart.service", "systemd-vconsole-setup.service", "sslh-fork.service", "eicar", "dependency-selectors.md", "runlevel2.target", "libc6-i386_2.26-0ubuntu2_amd64.url", "stage2", "fastnetmon.service", "systemd-creds.socket", "nsswitch.conf", "mariadb@.service", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "uuidd.service", "npm-pack.md", "zfs-import-cache.service", "dbus-org.freedesktop.locale1.service", "p11-kit-server.service", "range.bnf", "systemd.hu.catalog", "i2pd.service", "nvmf-autoconnect.service", "zgrep", "cat_file.py", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "plasma-kscreen.service", "libc6-i386_2.17-0ubuntu5_amd64.url", "modules.ieee1394map", "nvidia", "80-container-vz.link", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "drkonqi-coredump-launcher@.service", "gpm.path", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "update-workspaces.js", "payload.php.014", "lxc-monitord.service", "btrfs-scrub@.timer", "privoxy.service", ".X1025-lock", "systemd-tpm2-setup.service", "nm-cloud-setup.timer", "wtmp", "dbus-org.freedesktop.machine1.service", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "drkonqi-coredump-launcher.socket", "lxc-auto.service", "xdg-desktop-portal.service", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "SeTfull (2)", "mongodb.service", "issue", "cups-lpd@.service", "snmptrapd.service", "https://www.cisa.gov/sites/default/files/2025-01/aa25-022a-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications_0.pdf", "geoipupdate.timer", "xdg-desktop-portal-rewrite-launchers.service", "npm-config.md", "libc6-i386_2.24-11+deb9u4_amd64.info", "arcolinux-graphical-target.service", "rsyncd@.service", "NetworkManager-ovs.conf", "gnome-keyring-daemon.socket", "PROMPThelp (2)", "libc6-i386_2.24-3ubuntu1_amd64.info", "libc6-i386_2.30-4_amd64.symbols", "ftp.py", "logrotate.timer", "package-json.md", "libc6-i386_2.21-0ubuntu4_amd64.url", "libnm.pc", "kio-fuse.service", "systemd-sysupdate-reboot.timer", "blockdev@.target", "systemd-suspend.service", "b.txt", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "query.js", "systemd-halt.service", "npm-help-search.md", "HOSTNAME (2)", "tlp", "prefix.js", "background.slice", "systemd-ask-password-plymouth.path", "tick.py", "systemd-pcrlock-firmware-config.service", "archlinux-keyring-wkd-sync.timer", "plymouth-read-write.service", "removepkg (2)", "bolt.service", "systemd-hostnamed.service", "named.service", "libyara.la", "libc6-i386_2.15-0ubuntu20_amd64.url", "gpg-agent-extra@.socket", "pacman-filesdb-refresh.timer", "major.js", "restore.py", "systemd-pcrlock-firmware-code.service", "swap.target", "npm-install.md", "nvmf-connect.target", "virtproxyd-tls.socket", "midx.py", "integritysetup.target", "version.py", "avahi-dnsconfd.service", "svnserve.service", "ModemManager.service", "slackinstall (2)", "greenbone-feed-sync.timer", "folders.md", "apt_sandworm_exim_expl.yar.002", "nvmefc-boot-connections.service", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "fwupd-refresh.timer", "openvpn-client@.service", "SeTkeymap (2)", "INSNFS (2)", "plasma-ksplash-ready.service", "README (2)", "virtchd-ro.socket", "systemd-rfkill.socket", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "libc6-i386_2.26-0ubuntu2_amd64.info", "clamav-daemon.service", "reflector.timer", "payload.php.017", "filter-chain.service", "help.js", "systemd.pt_BR.catalog", "bettercap.service", "cape-dist.service", "modules.pcimap", "90-nm-thunderbolt.rules", "nvmf-connect@.service", "nm-pppd-plugin.la", "rfkill-block@.service", "uuidd.socket", "systemd-journal-remote.socket", "search.php", "nfs-blkmap.service", "ras-mc-ctl.service", "syslog.socket", "a4033901479", "nftables.service", "systemd-creds@.service", "SeTkernel", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "SeTmaketag (2)", "systemd-machined.service", "systemd.zh_TW.catalog", "plymouth-halt.service", "systemd-homed.service", "libc6-i386_2.5-0ubuntu14_amd64.info", "mkdirp", "virtvboxd.socket", "services", "systemd-nspawn@.service", "npm-hook.md", "podman-auto-update.service", "libvirtd.socket", "constants.js", "sddm.service", "dirmngr@etc-pacman.d-gnupg.socket", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "system-update.target", "plasma-core.target", "dbus-org.freedesktop.login1.service", "format-bytes.js", "start.js", "10-login-barrier.conf", "adduser.js", "virtqemud.socket", "epmd.service", "gpsd.service", "clamav-freshclam.service", "libc6-i386_2.29-0ubuntu2_amd64.url", "INSdir (2)", "xl2tpd.service", "zfs-import.service", "pkgtool", "npmrc.md", "upower.service", "installed-package-contents", "capsule@.service", "90-nm-cloud-setup.sh", "npm-init.md", "libc6-i386_2.19-18+deb8u10_amd64.info", "fsidd.service", "INSCD (2)", "user.slice", "nm-priv-helper.service", "npm-find-dupes.md", "systemd-growfs@.service", "systemd-sysupdate-reboot.service", "systemd-journal-gatewayd.service", "borgmatic-user.timer", "clamav-freshclam-once.timer", "libc6-i386_2.17-93ubuntu4_amd64.url", "root.js", "payload.php.011", "isnsd.service", "gpg-agent-browser@.socket", "npm-prefix.md", "wireplumber.service", "identifiers.js", "systemd-update-done.service", "80-ethernet.network.example", "clamav-daemon.socket", "cfdisk (2)", "zfs-scrub-monthly@.timer", "sendcmd.rc", "80-container-ve.link", "runlevel5.target", "virtnetworkd-admin.socket", "plasma-kwallet-pam.service", "completion.fish", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661da09794b343782806018e", "npm.js", "systemd.zh_CN.catalog", "libc6-i386_2.24-11+deb9u4_amd64.url", "plasma-powerprofile-osd.service", "iscsiuio.socket", "min-satisfying.js", "initrd-udevadm-cleanup-db.service", "slackinstall", "libc6-i386_2.9-4ubuntu6_amd64.info", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "max-satisfying.js", "ldconfig.service", ".:ads.txt", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "libc6-i386_2.13-20ubuntu5_amd64.url", "registry.md", "ls.js", "deprecate.js", "host (2).conf", "suspend.target", "mariadb-extra.socket", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "cape.service", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "libvirtd-tls.socket", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "lvm2-lvmpolld.socket", "nsswitch (2).conf", "dialogrc (2)", "podman.socket", "yallist.js", "system-systemd\\x2dveritysetup.slice", "apt_sandworm_exim_expl.yar.001", "systemd.ru.catalog", "virtinterfaced-admin.socket", "mtab", "desktop.ini", "vdecmd", "plymouth-kexec.service", "vt300 (2)", "gpg-agent-ssh.socket", "systemd.catalog", "sbom.js", "cssesc", "stdcrt", "nvidia-persistenced.service", "virtstoraged-ro.socket", "damage.py", "plymouth.conf", "hibernate.target", "xdg-desktop-portal-xapp.service", "git-daemon.socket", "cpupower", "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence", "initrd-root-fs.target", "satisfies.js", "gt.js", "package-url-cmd.js", "cxl-monitor.service", "virtqemud-admin.socket", "gvfs-mtp-volume-monitor.service", "preload.js", "clash@.service", "keyboxd@.service", "update.js", "libc6-i386_2.13-20ubuntu5_amd64.info", "nvidia-suspend.service", "systemd-boot-check-no-failures.service", "sigpwr.target", "suricata.service", "rebuild.js", "SeTDOS", "cups.path", "libc6-i386_2.13-0ubuntu13_amd64.url", "pulseaudio-x11.service", "mdadm.shutdown", "keyboxd@etc-pacman.d-gnupg.socket", "colord.service", "doctor.js", "e2scrub_fail@.service", "template-WaR2X6", "reify-finish.js", "wpa_supplicant@.service", "INShd", "systemd-sysctl.service", "iiod.service", "app.slice", "plasma-workspace.target", "virtnwfilterd-admin.socket", "unmigrate (2).sh", "stdcrt (2)", "obexstress", "modules.pnpbiosmap", "mdadm-last-resort@.service", "npm-docs.md", "rc-local.service", "systemd-fsck@.service", "SeTpasswd", "zfs-share.service", "index (2).py", "open-url.js", "dmraid.service", "npm-install-ci-test.md", "hv_fcopy_daemon.service", "xdg-document-portal.service", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "SeTPKG (2)", "libc6-i386_2.23-0ubuntu10_amd64.url", "mysqld.service", "pulseaudio.socket", "payload.php", "borgmatic.service", "empty", "libc6-i386_2.23-0ubuntu11_amd64.info", "drecurse.py", "bluetooth.service", "rdnssd@.service", "https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader", "xfs_scrub_all.service", "libnm-device-plugin-wwan.la", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "mdadm-grow-continue@.service", "xsettingsd.service", "npm-uninstall.md", "dhclient@.service", "smartd.service", "main.py", "login (2).defs", "systemd.hr.catalog", "gpg-agent.service", "cups.socket", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "payload.php.007", "HOSTNAME", "rabbitmq.service", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "flatpak-portal.service", "source_info.py", "itl-logo (3).txt", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "virtnetworkd.service", "systemd-boot-random-seed.service", "valid.js", "netavark-dhcp-proxy.service", "NetworkManager-wait-online.service", "group (2)", "ly.service", "systemd.be.catalog", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "docker.service", "slapd.service", "parent.php", "error-message.js", "plasma-baloorunner.service", "prune.js", "avahi-daemon.service", "finger@.service", "clamav-unofficial-sigs.service", "https://hybrid-analysis.com/sample/9613dee39157b5f9935436b36647047e267b7c10fa4c7ab1fd995db681e58c12/661da5b202eaca78740cf4ed", "fund.js", "exit-handler.js", "vboxdrmclient.service", "remote-fs.target", "unbound.service", "join.py", "mdcheck_start.timer", "server.py", "adb.service", "payload.php.016", "boot-complete.target", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "npm-exec.md", "libnm-device-plugin-bluetooth.la", "systemd-sysext@.service", "libc6-i386_2.9-4ubuntu6_amd64.url", "ostree-boot-complete.service", "hv_kvp_daemon.service", "rescue.service", "explain-dep.js", "nvidia-hibernate.service", "systemd-pcrlock@.service", "whoami.js", "systemd-tpm2-setup-early.service", "npm-whoami.md", "adsl.service", "canberra-system-shutdown-reboot.service", "virtproxyd.socket", "inittab (2)", "installpkg", "systemd-bless-boot.service", "ssh-access.target", "lastlog2-import.service", "ldd", "network.target", "hv_vss_daemon.service", "custom.py", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "initrd-fs.target", "debug-shell.service", "gcr-ssh-agent.socket", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "fstab (2)", "dm-event.socket", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "fluidsynth.service", "btrfs-scrub@.service", "finger.socket", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "payload.php.003", "systemd-hibernate-resume.service", "virt-guest-shutdown.target", "disk2 (2)", "SeTswap (2)", "systemd-hostnamed.socket", "libnm-device-plugin-wifi.la", "virtlogd.service", "runlevel4.target", "gnome-terminal-server.service", "geoclue.service", "fstrim.timer", "opensnitchd.service", "compare.js", "getty.target", "wpa_supplicant.service", "systemd-pcrfs-root.service", "systemd-journald-audit.socket", "systemd-initctl.service", "a1676298638", "tpm2.target", "explain.js", "dir:ads.txt", "payload.php.002", "pkgfile-update.service", "usbipd.service", "log-shim.js", "krb5-kpropd.service", "__init__ (2).py", "nfsdcld.service", "libcrypto.pc", "iscsi.service", "syslog (2).conf", "plasma-kded6.service", "systemd-modules-load.service", "usb_modeswitch@.service", "libc6-i386_2.30-0ubuntu2_amd64.url", "mdmonitor.service", "zfs-trim-weekly@.timer", "lxc-net.service", "npm-star.md", "initrd-cleanup.service", "probe (2)", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "resolv.conf", "connect.php.002", "remote-veritysetup.target", "npm-usage.js", "dist-tag.js", "initrd-root-device.target", "kcptun@.service", "systemd.de.catalog", "https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent", "probe", "reflector.service", "libc6-i386_2.28-10_amd64.info", "installpkg (2)", "audit.js", "README", "plasma-kded.service", "podman-restart.service", "config.js", "dbus-org.freedesktop.import1.service", "wireplumber@.service", "dbus-org.freedesktop.hostname1.service", "runlevel6.target", "get.js", "SeTnopart (2)", "emergency.service", "multi-user.target", "create_ap.service", "vmtoolsd.service", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "nscd.service", "termcap", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "get.py", "xfce4-notifyd.service", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "greenbone-scapdata-sync.service", "e2scrub_all.service", "tag.py", "paccache.timer", "reader.php", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "libc6-i386_2.4-1ubuntu12_amd64.info", "xstat (2).py", "xfs_scrub_fail@.service", "login.js", "ntpdate.service", "metadata.py", "virtsecretd.service", "cape-fstab.service", "krb5-kpropd@.service", "elasticsearch@.service", "auth-rpcgss-module.service", "printer.target", "zfs-scrub-weekly@.timer", "sudo_logsrvd.service", "rc.S", "systemd-networkd-persistent-storage.service", "get-identity.js", "phoromatic-client.service", "lorem.txt", "ll.js", "itl-logo.txt", "single.php", "ltr.js", "tmp.mount", "eicar.txt", "sslh.service", "90-systemd.preset", "libc6-i386_2.17-93ubuntu4_amd64.info", "gpg-agent.socket", "bup-import-rdiff-backup", "veritysetup.target", "89-ethernet.network.example", "ssh-agent.service", "nvidia-resume.service", "rescue.target", "mariadb-extra@.socket", "virtinterfaced.socket", "rsyncd.service", "virtlxcd.service", "suricata-update.service", "tracker-xdg-portal-3.service", "gpg-agent@etc-pacman.d-gnupg.socket", "rm (2).py", "npm-ci.md", "99-default.link", "https://www.cisa.gov/sites/default/files/2025-01/aa25-022a-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications.pdf", "logging.md", "payload.php.010", "npm-completion.md", "libc6-i386_2.30-0ubuntu2_amd64.info", "pack.js", "dev-hugepages.mount", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "npm-shrinkwrap-json.md", "pwdgrp.py", "systemd-localed.service", "virtqemud.service", "systemd-pcrextend@.service", "virtvboxd-ro.socket", "cmd-list.js", "cli.js", "logout.js", "mariadb.service", "uksmd.service", "npm-test.md", "hlinkdb.py", "fwupd.shutdown", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "b.txt:ads.txt", "mtools.conf", "SeTkernel (2)", "system-update-cleanup.service", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "npm-fund.md", "systemd-pcrextend.socket", "flatpak-system-helper.service", "token.js", "npm-view.md", "avahi-daemon.socket", "shells (2)", "proc-fs-nfsd.mount", "flatpak-session-helper.service", "initrd-switch-root.target", "npm-rebuild.md", "disk2", "motd", "cups-lpd.socket", "runlevel3.target", "factory-reset.target", "node-which", "keyboxd@.socket", "npm-dedupe.md", "tinc.service", "iscsi-init.service", "system-systemd\\x2dcryptsetup.slice", "virtsecretd.socket", "partimaged.service", "xstat.py", "diff.js", "30-root-verity-sig.conf", "lxdm.service", "e2scrub_all.timer", "e2scrub_reap.service", "auditd.service", "80-6rd-tunnel.network", "find-dupes.js", "xdg-desktop-portal-gtk.service", "profile.js", "libc6-i386_2.15-0ubuntu20_amd64.info", "tor.service", "virtnetworkd.socket", "rpcbind.target", "bluetooth.target", "ibft-rule-generator", "func.py", "dm-event.service", "ld.so (2).conf", "systemd-pcrlock-make-policy.service", "systemd-pcrmachine.service", "virtlogd-admin.socket", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "npm-dist-tag.md", "seatd.service", "minor.js", "ndctl-monitor.service", "20-root-verity.conf", "SeTmaketag", "systemd-ask-password-wall.path", "lvm2-lvmpolld.service", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "asyncrecv.rc", "gpsdctl@.service", "replace-info.js", "npm-repo.md", "packagekit-offline-update.service", "apparmor.service", "ssh.py", "local-fs.target", "telnet.socket", "min-version.js", "dnsmasq.service", "10-root.conf", "explain-eresolve.js", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "ostree-finalize-staged.service", "notes.txt:ads", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "fancontrol.service", "systemd-hybrid-sleep.service", "login.defs", "modprobe@.service", "vt300", "snort@.service", "lxc.service", "nohang.service", "virtstoraged-admin.socket", "veritysetup-pre.target", "read-user-info.js", "expl_cve_2021_40444.yar", "split.py", "libc6-i386_2.31-0ubuntu6_amd64.info", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "bpftune.service", "final.target", "virtvboxd.service", "systemd-homed-firstboot.service", "ufw.service", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "xfs_scrub@.service", "nfsv4-server.service", "container-getty@.service", "outside.js", "SeTfdHELP (2)", "10-defaults.conf", "libc6-i386_2.19-10ubuntu2_amd64.url", "README.md", "owner.js", "rc.ieee1394", "polkit.service", "keyboxd.service", "iscsid.socket", "fsck (2).ext3", "rlogin@.service", "rasdaemon.service", "nvmf-connect-nbft.service", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "phoronix-result-server.service", "payload.php.001", "dhcpd4.service", "iodined.service", "scanner.php", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "xplico.service", "iwd.service", "star.js", "input.pcap", "vpnc@.service", "libc6-i386_2.24-3ubuntu1_amd64.url", "publish.js", "ppp@.service", "10-arch", "timers.target", "httpd.service", "b529967783", "fdisk (2)", "virtnodedevd-ro.socket", "eicar.002", "hook.js", "greenbone-certdata-sync.timer", "fsck.py", "var-lib-machines.mount", "SeTpasswd (2)", "xdg-user-dirs-update.service", "virtstoraged.socket", "80-wifi-adhoc.network", "securetty (2)", "libvirtd-admin.socket", "modules.usbmap", "docker.socket", "ostree-finalize-staged.path", "systemd-update-utmp-runlevel.service", "machines.target", "systemd-quotacheck-root.service", "explore.js", "systemd-userdbd.service", "exabgp.service", "mkinitcpio-generate-shutdown-ramfs.service", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "getPerms.php", "iscsid.service", "stunnel.service", "xrdp-sesman.service", "setup (2)", "ostree-remount.service", "inc.js", "canberra-system-shutdown.service", "midx (2).py", "payload.php.012", "autorandr-lid-listener.service", "zfs-zed.service", "helpers.py", "systemd-journal-upload.service", "rc.inet1", "ci.js", "local-fs-pre.target", "80-container-vb.network", "plasma-kcminit.service", "vt100 (3)", "sound.target", "modules.generic_string", "rfkill-unblock@.service", "systemd-kexec.service", "virtsecretd-ro.socket", "rlogin.socket", "fstrim.service", "tumblerd.service", "gpm.service", "gpg-agent-ssh@etc-pacman.d-gnupg.socket", "systemd-tmpfiles-setup-dev-early.service", "sslh-select.service", "arborist", "libc6-i386_2.30-4_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "initrd-parse-etc.service", "systemd-fsck-root.service", "fstab", "systemd-udevd-control.socket", "rsort.js", "libnm-ppp-plugin.la", "subset.js", "ptunnel.service", "nopartHELP", "install.md", ".X1024-lock", "shquote.py", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "wacom-inputattach@.service", "iptables-flush", "systemd-portabled.service", "phoromatic-server.service", "compare-build.js", "libc6-i386_2.15-0ubuntu10_amd64.info", "podman.service", "zfs-import-scan.service", "compat.py", "systemd-journal-flush.service", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "daemon.py", "kexec.target", "ratholes@.service", "systemd-timedated.service", "list_idx.py", "unmigrate.sh", "mtab (2)", "unpublish.js", "SUSE-mdadm_env.sh", "sbom-cyclonedx.js", "zfs.target", "virtlogd.socket", "audit-rules.service", "systemd-quotacheck.service", "vmware-vmblock-fuse.service", "libc6-i386_2.30-4_amd64.info", "epmd.socket", "FDhelp", "sunjava_map.xml", "libc6-i386_2.24-9ubuntu2_amd64.url", "connect.php", "npm-cache.md", "systemd.it.catalog", "pipewire-pulse.service", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "3proxy.conf", "shrinkwrap.js", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "otplease.js", "systemd.be@latin.catalog", "default.target", "80-container-vz.network", "sndiod.service", "npm-shrinkwrap.md", "install.js", "84-nm-drivers.rules", "ls (2).py", "sort.js", "user@.service", "gssproxy.service", "krb5-kdc.service", "drkonqi-sentry-postman.service", "wg-quick@.service", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "systemd-rfkill.service", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "nbd.service", "dirmngr.socket", "dbus-broker-launch.catalog", "tree.py", "plasma-kwin_wayland.service", "thunar.service", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "mdmonitor-oneshot.timer", "npm-run-script.md", "scripts.md", "orgs.md", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "virtnodedevd.service", "20-systemd-userdb.conf", "init.js", "greenbone-nvt-sync.service", "rc.usb", "ntpd.service", "init.py", "tinc@.service", "freeradius.service", "unstar.js", "rpc-statd.service", "virtnodedevd.socket", "libssl.pc", "payload.php.008", "SeTconfig", "bup-import-rsnapshot", "talk.socket", "debug.js", "virtstoraged.service", "securetty", "gpg-agent-browser.socket", "rwhod.service", "parse-options.js", "qemu-guest-agent.service", "wpa_supplicant-nl80211@.service", "vboxservice.service", "redis-sentinel.service", "intersects.js", "openvpn-server@.service", "plasma-workspace-x11.target", "version.js", "virtnwfilterd.service", "npm-update.md", "syslinux.cfg", "workspaces.md", "systemd-bootctl@.service" ], "related": { "alienvault": { "adversary": [ "Dolphin Loader" ], "malware_families": [ "Darkgate", "Rhadamanthys", "Dolphin loader", "Lummac2", "Sectoprat", "Redline" ], "industries": [] }, "other": { "adversary": [ "Chinese Speaking" ], "malware_families": [ "Winbindoptions", "Saml", "Nmbdoptions", "Successaction", "Remote access", "Smbdoptions", "Emba", "Oss", "Bushwalk", "Godzilla", "Pitstop", "Remainafterexit" ], "industries": [ "Telecommunication", "Defense", "Industrial", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "66c3479768ec16f58ae7dfe7", "name": "The Abuse of ITarian RMM by Dolphin Loader", "description": "This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system monitoring, to operate stealthily and evade detection. The report provides an in-depth analysis of the Dolphin Loader's techniques, including the use of AutoIt scripts for payload execution and the abuse of the ITarian RMM software's 'Procedures' feature to run malicious Python scripts on registered devices.", "modified": "2024-09-18T13:00:26.861000", "created": "2024-08-19T13:24:38.403000", "tags": [ "itarian", "evade", "sectoprat", "autoit", "malware-as-a-service", "lummac2", "dolphin loader", "rhadamanthys", "stealthy", "redline", "python", "darkgate", "rmm" ], "references": [ "https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader" ], "public": 1, "adversary": "Dolphin Loader", "targeted_countries": [], "malware_families": [ { "id": "Dolphin Loader", "display_name": "Dolphin Loader", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 11 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 376506, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d241ad80972b915e79f7ee", "name": "Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2 - Real-time Open Source Software Supply Chain Security", "description": "The SafeDep Team reveals details of the Strapi CMS plugins that were deployed to launch a series of malicious packages, including a Redis RCE, a database theft, and a persistent C2.", "modified": "2026-04-05T11:04:09.969000", "created": "2026-04-05T11:04:09.969000", "tags": [ "strong", "april", "devnull", "payload", "redis", "strapi", "phase", "config set", "json", "c2 agent", "python", "malware", "config", "stop", "harvester", "info", "trojan", "back", "grep", "payment", "download", "pass", "false", "cold", "shell", "target", "terminal", "attack", "code", "install", "remote access" ], "references": [ "https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null } ], "attack_ids": [ { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "darksword", "id": "381736", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1, "URL": 3, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a4267fe0eab278232f610", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:59:51.674000", "tags": [ "ipv4", "pgpassword", "d brokerdb", "strong", "cisa", "ttyunknown", "userroot", "pgsqlpw", "u gsbadmin", "redacted gsb", "cyber", "tools", "python", "gogo", "psexec", "sector", "local", "download", "matrix", "upgrade", "install", "zero", "contact", "small", "execution", "persistence" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 21, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "409 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679721f054b8ee5989a51106", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications", "description": "The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in\nIvanti\u2019s Connect Secure, Policy Secure and ZTA Gateways", "modified": "2025-02-26T06:04:49.150000", "created": "2025-01-27T06:04:32.848000", "tags": [ "Vulnerabilities", "Threat" ], "references": [ "https://www.cisa.gov/sites/default/files/2025-01/aa25-022a-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications_0.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 14, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6793958f83ca397972dd5e0c", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA", "description": "This intelligence provides actionable insights into the September 2024 exploitation of Ivanti Cloud Service Appliances (CSA) by attackers who chained various Ivanti CSA vulnerabilities with CVE-2024-8963. The chaining of these vulnerabilities led to unauthorized access, remote code execution, credential theft, and webshell deployment. Even though exploitation occurred in September 2024, organizations using affected versions of Ivanti CSA are still at risk. The Advisory warns that \"Credentials and sensitive data stored within affected Ivanti appliances should be considered compromised.\"", "modified": "2025-02-23T13:01:46.148000", "created": "2025-01-24T13:28:47.127000", "tags": [ "threattype/Vulnerability Exploitation", "threattype/Webshell Deployment", "threattype/Remote Code Execution", "threattype/Credential Theft", "kevc/Ivanti Cloud Service Appliances (CSA) CVE-2024-8963, CVE-20", "Industries/All Industries" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 22, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6791fd7e620f43b14ba8977a", "name": "Ivanti Cloud Service Applications IoC", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are\nreleasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities\nin Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code\nexecution vulnerabilities.", "modified": "2025-02-22T08:03:34.212000", "created": "2025-01-23T08:27:42.846000", "tags": [], "references": [ "https://www.cisa.gov/sites/default/files/2025-01/aa25-022a-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "416 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67916dc1b703933501892988", "name": "Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA", "description": "", "modified": "2025-02-21T22:02:47.333000", "created": "2025-01-22T22:14:25.494000", "tags": [ "ipv4", "pgpassword", "d brokerdb", "strong", "cisa", "ttyunknown", "userroot", "pgsqlpw", "u gsbadmin", "redacted gsb", "cyber", "tools", "python", "gogo", "psexec", "sector", "local", "download", "matrix", "upgrade", "install", "zero", "contact", "small", "execution", "persistence" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 22, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 2, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "416 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676da40ba4a260f1ce70f336", "name": "Analyzing Malicious Intent in Python Code: A Case Study | FortiGuard Labs", "description": "AI security scans detected two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, designed for surveillance, data theft, and unauthorized access. Zebo-0.1.0 uses stealthy techniques like keylogging and screen recording to exfiltrate data and maintain persistence. Cometlogger-0.1 exhibits advanced capabilities including webhook manipulation, information theft, anti-VM evasion, and dynamic file modification. Both pose significant security risks, emphasizing the need for robust cybersecurity measures", "modified": "2024-12-26T18:44:27.769000", "created": "2024-12-26T18:44:27.769000", "tags": [ "python", "fortiguard labs threat research", "internet", "run antivirus", "tools", "reformat", "prevention code", "review", "implement", "python script", "imagegrab", "antivm", "malicious", "oss" ], "references": [ "https://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-code" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OSS", "display_name": "OSS", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 212, "modified_text": "473 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "506 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "506 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "subprocess.call", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "subprocess.call", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776154862.983871 }